Talos Rules 2020-11-10
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2020-16998: A coding deficiency exists in DirectX Graphics Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56254 through 56255.

Microsoft Vulnerability CVE-2020-17010: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56263 through 56264.

Microsoft Vulnerability CVE-2020-17038: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56261 through 56262.

Microsoft Vulnerability CVE-2020-17047: A coding deficiency exists in Microsoft Windows Network File System that may lead to denial of service.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 56309.

Microsoft Vulnerability CVE-2020-17051: A coding deficiency exists in Microsoft Windows Network File System that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56311 through 56312.

Microsoft Vulnerability CVE-2020-17052: A coding deficiency exists in Microsoft Windows Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56286 through 56287.

Microsoft Vulnerability CVE-2020-17053: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56288 through 56289.

Microsoft Vulnerability CVE-2020-17056: A coding deficiency exists in Microsoft Windows Network File System that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56301 through 56302.

Microsoft Vulnerability CVE-2020-17057: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56259 through 56260.

Microsoft Vulnerability CVE-2020-17061: A coding deficiency exists in Microsoft SharePoint that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56303 through 56305.

Microsoft Vulnerability CVE-2020-17087: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 56230 through 56231.

Microsoft Vulnerability CVE-2020-17088: A coding deficiency exists in Microsoft Windows Common Log File System that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56295 through 56296.

Talos also has added and modified multiple rules in the browser-ie and os-windows rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-11-11 02:20:06 UTC

Snort Subscriber Rules Update

Date: 2020-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56313 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)
 * 1:56314 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)

Modified Rules:


 * 1:56290 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malicious Netlogon NetrServerAuthenticate3 request attempt (os-windows.rules)
 * 1:56288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt  (browser-ie.rules)

2020-11-11 02:20:06 UTC

Snort Subscriber Rules Update

Date: 2020-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56313 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)
 * 1:56314 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)

Modified Rules:


 * 1:56290 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malicious Netlogon NetrServerAuthenticate3 request attempt (os-windows.rules)
 * 1:56288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt  (browser-ie.rules)

2020-11-11 02:20:06 UTC

Snort Subscriber Rules Update

Date: 2020-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56313 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)
 * 1:56314 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)

Modified Rules:


 * 1:56290 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malicious Netlogon NetrServerAuthenticate3 request attempt (os-windows.rules)
 * 1:56288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt  (browser-ie.rules)

2020-11-11 02:20:06 UTC

Snort Subscriber Rules Update

Date: 2020-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56313 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)
 * 1:56314 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)

Modified Rules:


 * 1:56288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt  (browser-ie.rules)
 * 1:56290 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malicious Netlogon NetrServerAuthenticate3 request attempt (os-windows.rules)

2020-11-11 02:20:06 UTC

Snort Subscriber Rules Update

Date: 2020-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56313 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)
 * 1:56314 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)

Modified Rules:


 * 1:56288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt  (browser-ie.rules)
 * 1:56290 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malicious Netlogon NetrServerAuthenticate3 request attempt (os-windows.rules)

2020-11-11 02:20:06 UTC

Snort Subscriber Rules Update

Date: 2020-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56314 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)
 * 1:56313 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)

Modified Rules:


 * 1:56288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt  (browser-ie.rules)
 * 1:56290 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malicious Netlogon NetrServerAuthenticate3 request attempt (os-windows.rules)

2020-11-11 02:20:06 UTC

Snort Subscriber Rules Update

Date: 2020-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56313 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)
 * 1:56314 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)

Modified Rules:


 * 1:56288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt  (browser-ie.rules)
 * 1:56290 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malicious Netlogon NetrServerAuthenticate3 request attempt (os-windows.rules)

2020-11-11 02:20:06 UTC

Snort Subscriber Rules Update

Date: 2020-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56313 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (snort3-malware-other.rules)
 * 1:56314 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (snort3-malware-other.rules)

Modified Rules:


 * 1:56290 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malicious Netlogon NetrServerAuthenticate3 request attempt (snort3-os-windows.rules)
 * 1:56288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt  (snort3-browser-ie.rules)

2020-11-11 02:20:06 UTC

Snort Subscriber Rules Update

Date: 2020-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56313 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)
 * 1:56314 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download  (malware-other.rules)

Modified Rules:


 * 1:56288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt  (browser-ie.rules)
 * 1:56290 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malicious Netlogon NetrServerAuthenticate3 request attempt (os-windows.rules)