Talos Rules 2020-04-14
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2020-0784: A coding deficiency exists in DirectX Graphics Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53621 through 53622.

Microsoft Vulnerability CVE-2020-0888: A coding deficiency exists in DirectX Graphics Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53625 through 53626.

Microsoft Vulnerability CVE-2020-0938: A coding deficiency exists in OpenType Font Parsing that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 53489 through 53490.

Microsoft Vulnerability CVE-2020-0956: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53652 through 53653.

Microsoft Vulnerability CVE-2020-0957: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53654 through 53655.

Microsoft Vulnerability CVE-2020-0958: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53627 through 53628.

Microsoft Vulnerability CVE-2020-0968: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53623 through 53624.

Microsoft Vulnerability CVE-2020-1004: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53619 through 53620.

Microsoft Vulnerability CVE-2020-1020: A coding deficiency exists in Adobe Font Manager Library that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 53491 through 53492.

Microsoft Vulnerability CVE-2020-1027: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53629 through 53630.

Talos also has added and modified multiple rules in the browser-ie, deleted, file-flash, file-image, file-multimedia, file-office, file-other, indicator-compromise, malware-cnc, malware-other, malware-tools, os-linux, os-other, os-windows, protocol-dns, protocol-other and server-samba rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-04-14 16:57:43 UTC

Snort Subscriber Rules Update

Date: 2020-04-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53631 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panda variant outbound connection attempt (malware-cnc.rules)
 * 1:53630 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53629 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53628 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53627 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53626 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53624 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53623 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53622 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53621 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53620 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53618 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53617 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53616 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53615 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53649 <-> DISABLED <-> INDICATOR-COMPROMISE PHP eval command execution attempt (indicator-compromise.rules)
 * 1:53648 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WildPressure variant outbound connection attempt (malware-cnc.rules)
 * 1:53647 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53646 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53644 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53642 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda malicious DLL loader attempt (malware-tools.rules)
 * 1:53641 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53640 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53639 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53638 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53637 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53636 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53634 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53657 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53656 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53658 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53659 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 3:53651 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)
 * 3:53650 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)

Modified Rules:


 * 1:44694 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:53491 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53489 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:53492 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53490 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:44695 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)

2020-04-14 16:57:43 UTC

Snort Subscriber Rules Update

Date: 2020-04-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53615 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53648 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WildPressure variant outbound connection attempt (malware-cnc.rules)
 * 1:53649 <-> DISABLED <-> INDICATOR-COMPROMISE PHP eval command execution attempt (indicator-compromise.rules)
 * 1:53619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53620 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53621 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53622 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53617 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53626 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53627 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53628 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53629 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53630 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53631 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panda variant outbound connection attempt (malware-cnc.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53634 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53636 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53637 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53638 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53639 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53640 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53642 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda malicious DLL loader attempt (malware-tools.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53646 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53641 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53647 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53644 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53659 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53658 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53657 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53656 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53616 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53624 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53623 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53618 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 3:53651 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)
 * 3:53650 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)

Modified Rules:


 * 1:44694 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:53491 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53489 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:53492 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53490 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:44695 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)

2020-04-14 16:57:43 UTC

Snort Subscriber Rules Update

Date: 2020-04-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53648 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WildPressure variant outbound connection attempt (malware-cnc.rules)
 * 1:53615 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53657 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53656 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53616 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53649 <-> DISABLED <-> INDICATOR-COMPROMISE PHP eval command execution attempt (indicator-compromise.rules)
 * 1:53647 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53659 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53658 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53620 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53621 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53622 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53617 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53626 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53627 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53628 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53629 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53634 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53630 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53631 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panda variant outbound connection attempt (malware-cnc.rules)
 * 1:53636 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53646 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53637 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53638 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53641 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53642 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda malicious DLL loader attempt (malware-tools.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53644 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53640 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53639 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53624 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53623 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53618 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 3:53650 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)
 * 3:53651 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)

Modified Rules:


 * 1:44694 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:53489 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:53492 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53490 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:53491 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:44695 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)

2020-04-14 16:57:43 UTC

Snort Subscriber Rules Update

Date: 2020-04-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53646 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53615 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53648 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WildPressure variant outbound connection attempt (malware-cnc.rules)
 * 1:53659 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53658 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53656 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53649 <-> DISABLED <-> INDICATOR-COMPROMISE PHP eval command execution attempt (indicator-compromise.rules)
 * 1:53620 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53621 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53622 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53617 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53647 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53626 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53627 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53628 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53629 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53631 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panda variant outbound connection attempt (malware-cnc.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53634 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53630 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53637 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53638 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53639 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53640 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53641 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53642 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda malicious DLL loader attempt (malware-tools.rules)
 * 1:53624 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53623 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53657 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53644 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53616 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53636 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53618 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 3:53650 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)
 * 3:53651 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)

Modified Rules:


 * 1:53491 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53489 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:53492 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53490 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:44694 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44695 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)

2020-04-14 16:57:43 UTC

Snort Subscriber Rules Update

Date: 2020-04-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53615 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53644 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53659 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53649 <-> DISABLED <-> INDICATOR-COMPROMISE PHP eval command execution attempt (indicator-compromise.rules)
 * 1:53646 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53658 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53648 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WildPressure variant outbound connection attempt (malware-cnc.rules)
 * 1:53620 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53621 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53656 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53622 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53617 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53626 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53627 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53628 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53629 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53630 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53631 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panda variant outbound connection attempt (malware-cnc.rules)
 * 1:53647 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53634 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53623 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53624 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53638 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53639 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53640 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53641 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53637 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53657 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53636 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53616 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53618 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53642 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda malicious DLL loader attempt (malware-tools.rules)
 * 3:53650 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)
 * 3:53651 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)

Modified Rules:


 * 1:53491 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53489 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:53492 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53490 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:44695 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44694 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)

2020-04-14 16:57:43 UTC

Snort Subscriber Rules Update

Date: 2020-04-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53620 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53615 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53648 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WildPressure variant outbound connection attempt (malware-cnc.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53658 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53656 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53649 <-> DISABLED <-> INDICATOR-COMPROMISE PHP eval command execution attempt (indicator-compromise.rules)
 * 1:53647 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53646 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53659 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53622 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53618 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53617 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53621 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53627 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53628 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53630 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53631 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panda variant outbound connection attempt (malware-cnc.rules)
 * 1:53626 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53629 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53636 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53624 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53623 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53644 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53641 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53637 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53638 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53639 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53616 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53657 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53640 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53642 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda malicious DLL loader attempt (malware-tools.rules)
 * 1:53634 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 3:53650 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)
 * 3:53651 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)

Modified Rules:


 * 1:53492 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53490 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:44694 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44695 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:53491 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53489 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)

2020-04-14 16:57:43 UTC

Snort Subscriber Rules Update

Date: 2020-04-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53626 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (snort3-os-windows.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (snort3-malware-tools.rules)
 * 1:53616 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (snort3-malware-other.rules)
 * 1:53649 <-> DISABLED <-> INDICATOR-COMPROMISE PHP eval command execution attempt (snort3-indicator-compromise.rules)
 * 1:53637 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (snort3-malware-other.rules)
 * 1:53644 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (snort3-malware-tools.rules)
 * 1:53618 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (snort3-malware-other.rules)
 * 1:53659 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (snort3-malware-other.rules)
 * 1:53654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (snort3-os-windows.rules)
 * 1:53656 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (snort3-malware-other.rules)
 * 1:53638 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (snort3-malware-other.rules)
 * 1:53615 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (snort3-malware-other.rules)
 * 1:53625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (snort3-os-windows.rules)
 * 1:53657 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (snort3-malware-other.rules)
 * 1:53623 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:53627 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (snort3-os-windows.rules)
 * 1:53652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (snort3-os-windows.rules)
 * 1:53617 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (snort3-malware-other.rules)
 * 1:53653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (snort3-os-windows.rules)
 * 1:53628 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (snort3-os-windows.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (snort3-malware-other.rules)
 * 1:53629 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (snort3-os-windows.rules)
 * 1:53630 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (snort3-os-windows.rules)
 * 1:53634 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (snort3-malware-other.rules)
 * 1:53631 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panda variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (snort3-malware-other.rules)
 * 1:53647 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (snort3-malware-other.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (snort3-malware-other.rules)
 * 1:53620 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (snort3-os-windows.rules)
 * 1:53636 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (snort3-malware-other.rules)
 * 1:53641 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (snort3-malware-tools.rules)
 * 1:53642 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda malicious DLL loader attempt (snort3-malware-tools.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (snort3-malware-tools.rules)
 * 1:53646 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (snort3-malware-other.rules)
 * 1:53640 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (snort3-malware-other.rules)
 * 1:53658 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (snort3-malware-other.rules)
 * 1:53624 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:53655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (snort3-os-windows.rules)
 * 1:53648 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WildPressure variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:53639 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (snort3-malware-other.rules)
 * 1:53621 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (snort3-os-windows.rules)
 * 1:53622 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (snort3-os-windows.rules)
 * 1:53619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:53491 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (snort3-file-other.rules)
 * 1:44695 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (snort3-file-office.rules)
 * 1:53489 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (snort3-file-other.rules)
 * 1:44694 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (snort3-file-office.rules)
 * 1:53492 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (snort3-file-other.rules)
 * 1:53490 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (snort3-file-other.rules)

2020-04-14 16:57:43 UTC

Snort Subscriber Rules Update

Date: 2020-04-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53648 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WildPressure variant outbound connection attempt (malware-cnc.rules)
 * 1:53620 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:53617 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53647 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53657 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53649 <-> DISABLED <-> INDICATOR-COMPROMISE PHP eval command execution attempt (indicator-compromise.rules)
 * 1:53623 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53624 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:53634 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53646 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WildPressure malicious executable download attempt (malware-other.rules)
 * 1:53655 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53654 <-> DISABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k driver elevation of privileges attempt (os-windows.rules)
 * 1:53622 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53616 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 1:53653 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53642 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda malicious DLL loader attempt (malware-tools.rules)
 * 1:53644 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53621 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53658 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53652 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CF_PALETTE privilege escalation attempt (os-windows.rules)
 * 1:53625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53627 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53628 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:53630 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53631 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panda variant outbound connection attempt (malware-cnc.rules)
 * 1:53626 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX elevation of privilege attempt (os-windows.rules)
 * 1:53629 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel CSRSS privilege escalation attempt (os-windows.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53618 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659544-0 download attempt (malware-other.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53640 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53636 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53637 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53638 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53659 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x64 executable download attempt (malware-other.rules)
 * 1:53641 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53639 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda file download attempt (malware-other.rules)
 * 1:53656 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike x86 executable download attempt (malware-other.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53615 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Upatre-7659504-0 download attempt (malware-other.rules)
 * 3:53651 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)
 * 3:53650 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1045 attack attempt (file-office.rules)

Modified Rules:


 * 1:53492 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53490 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)
 * 1:44694 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44695 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:53491 <-> ENABLED <-> FILE-OTHER Microsoft Windows Type 1 font stack overflow attempt (file-other.rules)
 * 1:53489 <-> ENABLED <-> FILE-OTHER Microsoft Windows fontdrvhost SetBlendDesignPositions out of bounds write attempt (file-other.rules)