Talos Rules 2020-12-09
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, malware-tools, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-12-10 00:52:31 UTC

Snort Subscriber Rules Update

Date: 2020-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56594 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56595 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56596 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56597 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56598 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original inbound connection attempt (malware-cnc.rules)
 * 1:56599 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original stager outbound connection attempt (malware-cnc.rules)
 * 1:56600 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56601 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Stager 2 download attempt (malware-cnc.rules)
 * 1:56602 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Server 3 inbound beacon attempt (malware-cnc.rules)
 * 1:56603 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56604 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics NAV remote code execution attempt (server-webapp.rules)
 * 1:56605 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56606 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56607 <-> DISABLED <-> MALWARE-CNC potential Rat.Tool.CSBundleUSAToday connectivity check (malware-cnc.rules)
 * 1:56608 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon inbound connection attempt (malware-other.rules)
 * 1:56609 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56610 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56611 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56612 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56613 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56614 <-> DISABLED <-> MALWARE-BACKDOOR Cobalt Strike beacon connection attempt (malware-backdoor.rules)
 * 1:56615 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56616 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56617 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon inbound connection attempt (malware-cnc.rules)
 * 1:56292 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download (malware-other.rules)
 * 1:56563 <-> DISABLED <-> SERVER-WEBAPP Apache Server mod_proxy Error Page cross site scripting attempt (server-webapp.rules)
 * 1:56564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerRatankba variant download attempt (malware-cnc.rules)
 * 1:56565 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.AnchorBotDNS variant outbound ICMP connection (indicator-compromise.rules)
 * 1:56566 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorInstaller variant download attempt (malware-tools.rules)
 * 1:56567 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorbotDNS variant download attempt (malware-tools.rules)
 * 1:56568 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Anchorbot variant download attempt (malware-tools.rules)
 * 1:56569 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.MemscraperDNS variant download attempt (malware-tools.rules)
 * 1:56570 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Memscraper variant download attempt (malware-tools.rules)
 * 1:56571 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 SET_INFO information disclosure attempt (os-windows.rules)
 * 1:56574 <-> DISABLED <-> BROWSER-OTHER Microsoft Teams mention functionality displayName remote code execution attempt (browser-other.rules)
 * 1:56577 <-> ENABLED <-> MALWARE-CNC Lokibot outbound connection attempt (malware-cnc.rules)
 * 1:56578 <-> ENABLED <-> MALWARE-OTHER Lokibot download attempt (malware-other.rules)
 * 1:56579 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo Insight Smart Plug libUPnPHndlr.so stack buffer overflow attempt (server-webapp.rules)
 * 1:56580 <-> DISABLED <-> POLICY-OTHER file URI redirect attempt (policy-other.rules)
 * 1:56581 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56582 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56583 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56584 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56585 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56586 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ServiceDesk Plus arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:56587 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.SSLBeacon variant certificate exchange attempt (malware-cnc.rules)
 * 1:56592 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56593 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)

Modified Rules:


 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)

2020-12-10 00:52:31 UTC

Snort Subscriber Rules Update

Date: 2020-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56292 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download (malware-other.rules)
 * 1:56563 <-> DISABLED <-> SERVER-WEBAPP Apache Server mod_proxy Error Page cross site scripting attempt (server-webapp.rules)
 * 1:56564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerRatankba variant download attempt (malware-cnc.rules)
 * 1:56565 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.AnchorBotDNS variant outbound ICMP connection (indicator-compromise.rules)
 * 1:56566 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorInstaller variant download attempt (malware-tools.rules)
 * 1:56567 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorbotDNS variant download attempt (malware-tools.rules)
 * 1:56568 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Anchorbot variant download attempt (malware-tools.rules)
 * 1:56569 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.MemscraperDNS variant download attempt (malware-tools.rules)
 * 1:56570 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Memscraper variant download attempt (malware-tools.rules)
 * 1:56571 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 SET_INFO information disclosure attempt (os-windows.rules)
 * 1:56574 <-> DISABLED <-> BROWSER-OTHER Microsoft Teams mention functionality displayName remote code execution attempt (browser-other.rules)
 * 1:56577 <-> ENABLED <-> MALWARE-CNC Lokibot outbound connection attempt (malware-cnc.rules)
 * 1:56578 <-> ENABLED <-> MALWARE-OTHER Lokibot download attempt (malware-other.rules)
 * 1:56579 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo Insight Smart Plug libUPnPHndlr.so stack buffer overflow attempt (server-webapp.rules)
 * 1:56580 <-> DISABLED <-> POLICY-OTHER file URI redirect attempt (policy-other.rules)
 * 1:56609 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56608 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon inbound connection attempt (malware-other.rules)
 * 1:56610 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56611 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56612 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56613 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56614 <-> DISABLED <-> MALWARE-BACKDOOR Cobalt Strike beacon connection attempt (malware-backdoor.rules)
 * 1:56615 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56616 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56617 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon inbound connection attempt (malware-cnc.rules)
 * 1:56607 <-> DISABLED <-> MALWARE-CNC potential Rat.Tool.CSBundleUSAToday connectivity check (malware-cnc.rules)
 * 1:56581 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56582 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56583 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56584 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56585 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56586 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ServiceDesk Plus arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:56587 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.SSLBeacon variant certificate exchange attempt (malware-cnc.rules)
 * 1:56592 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56593 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56594 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56595 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56596 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56597 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56598 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original inbound connection attempt (malware-cnc.rules)
 * 1:56599 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original stager outbound connection attempt (malware-cnc.rules)
 * 1:56600 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56601 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Stager 2 download attempt (malware-cnc.rules)
 * 1:56602 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Server 3 inbound beacon attempt (malware-cnc.rules)
 * 1:56603 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56604 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics NAV remote code execution attempt (server-webapp.rules)
 * 1:56605 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56606 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)

Modified Rules:


 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)

2020-12-10 00:52:31 UTC

Snort Subscriber Rules Update

Date: 2020-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56608 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon inbound connection attempt (malware-other.rules)
 * 1:56292 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download (malware-other.rules)
 * 1:56563 <-> DISABLED <-> SERVER-WEBAPP Apache Server mod_proxy Error Page cross site scripting attempt (server-webapp.rules)
 * 1:56564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerRatankba variant download attempt (malware-cnc.rules)
 * 1:56565 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.AnchorBotDNS variant outbound ICMP connection (indicator-compromise.rules)
 * 1:56566 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorInstaller variant download attempt (malware-tools.rules)
 * 1:56582 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56569 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.MemscraperDNS variant download attempt (malware-tools.rules)
 * 1:56568 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Anchorbot variant download attempt (malware-tools.rules)
 * 1:56570 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Memscraper variant download attempt (malware-tools.rules)
 * 1:56571 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 SET_INFO information disclosure attempt (os-windows.rules)
 * 1:56574 <-> DISABLED <-> BROWSER-OTHER Microsoft Teams mention functionality displayName remote code execution attempt (browser-other.rules)
 * 1:56577 <-> ENABLED <-> MALWARE-CNC Lokibot outbound connection attempt (malware-cnc.rules)
 * 1:56578 <-> ENABLED <-> MALWARE-OTHER Lokibot download attempt (malware-other.rules)
 * 1:56579 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo Insight Smart Plug libUPnPHndlr.so stack buffer overflow attempt (server-webapp.rules)
 * 1:56580 <-> DISABLED <-> POLICY-OTHER file URI redirect attempt (policy-other.rules)
 * 1:56581 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56609 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56610 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56611 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56612 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56613 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56614 <-> DISABLED <-> MALWARE-BACKDOOR Cobalt Strike beacon connection attempt (malware-backdoor.rules)
 * 1:56615 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56616 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56617 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon inbound connection attempt (malware-cnc.rules)
 * 1:56567 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorbotDNS variant download attempt (malware-tools.rules)
 * 1:56583 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56584 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56585 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56586 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ServiceDesk Plus arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:56587 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.SSLBeacon variant certificate exchange attempt (malware-cnc.rules)
 * 1:56592 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56593 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56594 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56595 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56596 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56597 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56598 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original inbound connection attempt (malware-cnc.rules)
 * 1:56599 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original stager outbound connection attempt (malware-cnc.rules)
 * 1:56600 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56601 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Stager 2 download attempt (malware-cnc.rules)
 * 1:56602 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Server 3 inbound beacon attempt (malware-cnc.rules)
 * 1:56603 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56604 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics NAV remote code execution attempt (server-webapp.rules)
 * 1:56605 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56606 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56607 <-> DISABLED <-> MALWARE-CNC potential Rat.Tool.CSBundleUSAToday connectivity check (malware-cnc.rules)

Modified Rules:


 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)

2020-12-10 00:52:31 UTC

Snort Subscriber Rules Update

Date: 2020-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56615 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56616 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56617 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon inbound connection attempt (malware-cnc.rules)
 * 1:56583 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56614 <-> DISABLED <-> MALWARE-BACKDOOR Cobalt Strike beacon connection attempt (malware-backdoor.rules)
 * 1:56292 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download (malware-other.rules)
 * 1:56563 <-> DISABLED <-> SERVER-WEBAPP Apache Server mod_proxy Error Page cross site scripting attempt (server-webapp.rules)
 * 1:56564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerRatankba variant download attempt (malware-cnc.rules)
 * 1:56565 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.AnchorBotDNS variant outbound ICMP connection (indicator-compromise.rules)
 * 1:56566 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorInstaller variant download attempt (malware-tools.rules)
 * 1:56567 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorbotDNS variant download attempt (malware-tools.rules)
 * 1:56568 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Anchorbot variant download attempt (malware-tools.rules)
 * 1:56613 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56569 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.MemscraperDNS variant download attempt (malware-tools.rules)
 * 1:56611 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56570 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Memscraper variant download attempt (malware-tools.rules)
 * 1:56571 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 SET_INFO information disclosure attempt (os-windows.rules)
 * 1:56574 <-> DISABLED <-> BROWSER-OTHER Microsoft Teams mention functionality displayName remote code execution attempt (browser-other.rules)
 * 1:56577 <-> ENABLED <-> MALWARE-CNC Lokibot outbound connection attempt (malware-cnc.rules)
 * 1:56578 <-> ENABLED <-> MALWARE-OTHER Lokibot download attempt (malware-other.rules)
 * 1:56579 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo Insight Smart Plug libUPnPHndlr.so stack buffer overflow attempt (server-webapp.rules)
 * 1:56580 <-> DISABLED <-> POLICY-OTHER file URI redirect attempt (policy-other.rules)
 * 1:56581 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56582 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56608 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon inbound connection attempt (malware-other.rules)
 * 1:56584 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56585 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56586 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ServiceDesk Plus arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:56587 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.SSLBeacon variant certificate exchange attempt (malware-cnc.rules)
 * 1:56592 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56593 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56594 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56595 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56596 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56597 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56598 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original inbound connection attempt (malware-cnc.rules)
 * 1:56599 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original stager outbound connection attempt (malware-cnc.rules)
 * 1:56600 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56601 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Stager 2 download attempt (malware-cnc.rules)
 * 1:56602 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Server 3 inbound beacon attempt (malware-cnc.rules)
 * 1:56603 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56604 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics NAV remote code execution attempt (server-webapp.rules)
 * 1:56605 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56606 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56610 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56609 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56612 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56607 <-> DISABLED <-> MALWARE-CNC potential Rat.Tool.CSBundleUSAToday connectivity check (malware-cnc.rules)

Modified Rules:


 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)

2020-12-10 00:52:31 UTC

Snort Subscriber Rules Update

Date: 2020-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56605 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56565 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.AnchorBotDNS variant outbound ICMP connection (indicator-compromise.rules)
 * 1:56608 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon inbound connection attempt (malware-other.rules)
 * 1:56613 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56615 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56614 <-> DISABLED <-> MALWARE-BACKDOOR Cobalt Strike beacon connection attempt (malware-backdoor.rules)
 * 1:56617 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon inbound connection attempt (malware-cnc.rules)
 * 1:56292 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download (malware-other.rules)
 * 1:56563 <-> DISABLED <-> SERVER-WEBAPP Apache Server mod_proxy Error Page cross site scripting attempt (server-webapp.rules)
 * 1:56606 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56581 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerRatankba variant download attempt (malware-cnc.rules)
 * 1:56566 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorInstaller variant download attempt (malware-tools.rules)
 * 1:56568 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Anchorbot variant download attempt (malware-tools.rules)
 * 1:56569 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.MemscraperDNS variant download attempt (malware-tools.rules)
 * 1:56570 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Memscraper variant download attempt (malware-tools.rules)
 * 1:56571 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 SET_INFO information disclosure attempt (os-windows.rules)
 * 1:56574 <-> DISABLED <-> BROWSER-OTHER Microsoft Teams mention functionality displayName remote code execution attempt (browser-other.rules)
 * 1:56577 <-> ENABLED <-> MALWARE-CNC Lokibot outbound connection attempt (malware-cnc.rules)
 * 1:56578 <-> ENABLED <-> MALWARE-OTHER Lokibot download attempt (malware-other.rules)
 * 1:56579 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo Insight Smart Plug libUPnPHndlr.so stack buffer overflow attempt (server-webapp.rules)
 * 1:56580 <-> DISABLED <-> POLICY-OTHER file URI redirect attempt (policy-other.rules)
 * 1:56582 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56583 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56584 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56585 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56586 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ServiceDesk Plus arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:56587 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.SSLBeacon variant certificate exchange attempt (malware-cnc.rules)
 * 1:56592 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56593 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56594 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56595 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56596 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56597 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56598 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original inbound connection attempt (malware-cnc.rules)
 * 1:56599 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original stager outbound connection attempt (malware-cnc.rules)
 * 1:56600 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56601 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Stager 2 download attempt (malware-cnc.rules)
 * 1:56602 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Server 3 inbound beacon attempt (malware-cnc.rules)
 * 1:56603 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56609 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56567 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorbotDNS variant download attempt (malware-tools.rules)
 * 1:56607 <-> DISABLED <-> MALWARE-CNC potential Rat.Tool.CSBundleUSAToday connectivity check (malware-cnc.rules)
 * 1:56610 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56604 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics NAV remote code execution attempt (server-webapp.rules)
 * 1:56611 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56616 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56612 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)

Modified Rules:


 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)

2020-12-10 00:52:31 UTC

Snort Subscriber Rules Update

Date: 2020-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56606 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56608 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon inbound connection attempt (malware-other.rules)
 * 1:56615 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56614 <-> DISABLED <-> MALWARE-BACKDOOR Cobalt Strike beacon connection attempt (malware-backdoor.rules)
 * 1:56617 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon inbound connection attempt (malware-cnc.rules)
 * 1:56601 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Stager 2 download attempt (malware-cnc.rules)
 * 1:56603 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerRatankba variant download attempt (malware-cnc.rules)
 * 1:56604 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics NAV remote code execution attempt (server-webapp.rules)
 * 1:56612 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56565 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.AnchorBotDNS variant outbound ICMP connection (indicator-compromise.rules)
 * 1:56602 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Server 3 inbound beacon attempt (malware-cnc.rules)
 * 1:56566 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorInstaller variant download attempt (malware-tools.rules)
 * 1:56567 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorbotDNS variant download attempt (malware-tools.rules)
 * 1:56568 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Anchorbot variant download attempt (malware-tools.rules)
 * 1:56569 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.MemscraperDNS variant download attempt (malware-tools.rules)
 * 1:56570 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Memscraper variant download attempt (malware-tools.rules)
 * 1:56571 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 SET_INFO information disclosure attempt (os-windows.rules)
 * 1:56574 <-> DISABLED <-> BROWSER-OTHER Microsoft Teams mention functionality displayName remote code execution attempt (browser-other.rules)
 * 1:56577 <-> ENABLED <-> MALWARE-CNC Lokibot outbound connection attempt (malware-cnc.rules)
 * 1:56578 <-> ENABLED <-> MALWARE-OTHER Lokibot download attempt (malware-other.rules)
 * 1:56563 <-> DISABLED <-> SERVER-WEBAPP Apache Server mod_proxy Error Page cross site scripting attempt (server-webapp.rules)
 * 1:56579 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo Insight Smart Plug libUPnPHndlr.so stack buffer overflow attempt (server-webapp.rules)
 * 1:56580 <-> DISABLED <-> POLICY-OTHER file URI redirect attempt (policy-other.rules)
 * 1:56581 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56582 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56583 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56584 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56585 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56586 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ServiceDesk Plus arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:56587 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.SSLBeacon variant certificate exchange attempt (malware-cnc.rules)
 * 1:56592 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56593 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56594 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56595 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56596 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56597 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56598 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original inbound connection attempt (malware-cnc.rules)
 * 1:56599 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original stager outbound connection attempt (malware-cnc.rules)
 * 1:56600 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56609 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56605 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56607 <-> DISABLED <-> MALWARE-CNC potential Rat.Tool.CSBundleUSAToday connectivity check (malware-cnc.rules)
 * 1:56292 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download (malware-other.rules)
 * 1:56610 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56611 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56616 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56613 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)

Modified Rules:


 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)

2020-12-10 00:52:31 UTC

Snort Subscriber Rules Update

Date: 2020-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56612 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56606 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56607 <-> DISABLED <-> MALWARE-CNC potential Rat.Tool.CSBundleUSAToday connectivity check (malware-cnc.rules)
 * 1:56608 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon inbound connection attempt (malware-other.rules)
 * 1:56614 <-> DISABLED <-> MALWARE-BACKDOOR Cobalt Strike beacon connection attempt (malware-backdoor.rules)
 * 1:56617 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon inbound connection attempt (malware-cnc.rules)
 * 1:56604 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics NAV remote code execution attempt (server-webapp.rules)
 * 1:56603 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56578 <-> ENABLED <-> MALWARE-OTHER Lokibot download attempt (malware-other.rules)
 * 1:56605 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56563 <-> DISABLED <-> SERVER-WEBAPP Apache Server mod_proxy Error Page cross site scripting attempt (server-webapp.rules)
 * 1:56565 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.AnchorBotDNS variant outbound ICMP connection (indicator-compromise.rules)
 * 1:56566 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorInstaller variant download attempt (malware-tools.rules)
 * 1:56567 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorbotDNS variant download attempt (malware-tools.rules)
 * 1:56568 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Anchorbot variant download attempt (malware-tools.rules)
 * 1:56569 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.MemscraperDNS variant download attempt (malware-tools.rules)
 * 1:56570 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Memscraper variant download attempt (malware-tools.rules)
 * 1:56571 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 SET_INFO information disclosure attempt (os-windows.rules)
 * 1:56574 <-> DISABLED <-> BROWSER-OTHER Microsoft Teams mention functionality displayName remote code execution attempt (browser-other.rules)
 * 1:56601 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Stager 2 download attempt (malware-cnc.rules)
 * 1:56615 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56577 <-> ENABLED <-> MALWARE-CNC Lokibot outbound connection attempt (malware-cnc.rules)
 * 1:56579 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo Insight Smart Plug libUPnPHndlr.so stack buffer overflow attempt (server-webapp.rules)
 * 1:56580 <-> DISABLED <-> POLICY-OTHER file URI redirect attempt (policy-other.rules)
 * 1:56581 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56582 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56583 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56584 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56585 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56586 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ServiceDesk Plus arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:56587 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.SSLBeacon variant certificate exchange attempt (malware-cnc.rules)
 * 1:56592 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56593 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56594 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56595 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56596 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56597 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56598 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original inbound connection attempt (malware-cnc.rules)
 * 1:56599 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original stager outbound connection attempt (malware-cnc.rules)
 * 1:56600 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56609 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56610 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56616 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56611 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56292 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download (malware-other.rules)
 * 1:56564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerRatankba variant download attempt (malware-cnc.rules)
 * 1:56613 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56602 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Server 3 inbound beacon attempt (malware-cnc.rules)

Modified Rules:


 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)

2020-12-10 00:52:31 UTC

Snort Subscriber Rules Update

Date: 2020-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56604 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics NAV remote code execution attempt (server-webapp.rules)
 * 1:56615 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56614 <-> DISABLED <-> MALWARE-BACKDOOR Cobalt Strike beacon connection attempt (malware-backdoor.rules)
 * 1:56610 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56607 <-> DISABLED <-> MALWARE-CNC potential Rat.Tool.CSBundleUSAToday connectivity check (malware-cnc.rules)
 * 1:56577 <-> ENABLED <-> MALWARE-CNC Lokibot outbound connection attempt (malware-cnc.rules)
 * 1:56608 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon inbound connection attempt (malware-other.rules)
 * 1:56617 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon inbound connection attempt (malware-cnc.rules)
 * 1:56616 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56611 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56602 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Server 3 inbound beacon attempt (malware-cnc.rules)
 * 1:56613 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56605 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56563 <-> DISABLED <-> SERVER-WEBAPP Apache Server mod_proxy Error Page cross site scripting attempt (server-webapp.rules)
 * 1:56606 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerRatankba variant download attempt (malware-cnc.rules)
 * 1:56565 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.AnchorBotDNS variant outbound ICMP connection (indicator-compromise.rules)
 * 1:56566 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorInstaller variant download attempt (malware-tools.rules)
 * 1:56567 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorbotDNS variant download attempt (malware-tools.rules)
 * 1:56568 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Anchorbot variant download attempt (malware-tools.rules)
 * 1:56569 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.MemscraperDNS variant download attempt (malware-tools.rules)
 * 1:56570 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Memscraper variant download attempt (malware-tools.rules)
 * 1:56571 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 SET_INFO information disclosure attempt (os-windows.rules)
 * 1:56578 <-> ENABLED <-> MALWARE-OTHER Lokibot download attempt (malware-other.rules)
 * 1:56579 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo Insight Smart Plug libUPnPHndlr.so stack buffer overflow attempt (server-webapp.rules)
 * 1:56580 <-> DISABLED <-> POLICY-OTHER file URI redirect attempt (policy-other.rules)
 * 1:56581 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56582 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56583 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56584 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56585 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56586 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ServiceDesk Plus arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:56587 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.SSLBeacon variant certificate exchange attempt (malware-cnc.rules)
 * 1:56592 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56593 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56594 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56595 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56596 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56597 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56598 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original inbound connection attempt (malware-cnc.rules)
 * 1:56599 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original stager outbound connection attempt (malware-cnc.rules)
 * 1:56600 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56574 <-> DISABLED <-> BROWSER-OTHER Microsoft Teams mention functionality displayName remote code execution attempt (browser-other.rules)
 * 1:56603 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56292 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download (malware-other.rules)
 * 1:56612 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56609 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56601 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Stager 2 download attempt (malware-cnc.rules)

Modified Rules:


 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)

2020-12-10 00:52:31 UTC

Snort Subscriber Rules Update

Date: 2020-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56292 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download (snort3-malware-other.rules)
 * 1:56612 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (snort3-malware-cnc.rules)
 * 1:56615 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (snort3-malware-cnc.rules)
 * 1:56606 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (snort3-malware-cnc.rules)
 * 1:56613 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (snort3-malware-cnc.rules)
 * 1:56567 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorbotDNS variant download attempt (snort3-malware-tools.rules)
 * 1:56610 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (snort3-malware-other.rules)
 * 1:56608 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon inbound connection attempt (snort3-malware-other.rules)
 * 1:56614 <-> DISABLED <-> MALWARE-BACKDOOR Cobalt Strike beacon connection attempt (snort3-malware-backdoor.rules)
 * 1:56617 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon inbound connection attempt (snort3-malware-cnc.rules)
 * 1:56564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerRatankba variant download attempt (snort3-malware-cnc.rules)
 * 1:56605 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (snort3-malware-cnc.rules)
 * 1:56566 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorInstaller variant download attempt (snort3-malware-tools.rules)
 * 1:56568 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Anchorbot variant download attempt (snort3-malware-tools.rules)
 * 1:56607 <-> DISABLED <-> MALWARE-CNC potential Rat.Tool.CSBundleUSAToday connectivity check (snort3-malware-cnc.rules)
 * 1:56569 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.MemscraperDNS variant download attempt (snort3-malware-tools.rules)
 * 1:56570 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Memscraper variant download attempt (snort3-malware-tools.rules)
 * 1:56571 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 SET_INFO information disclosure attempt (snort3-os-windows.rules)
 * 1:56574 <-> DISABLED <-> BROWSER-OTHER Microsoft Teams mention functionality displayName remote code execution attempt (snort3-browser-other.rules)
 * 1:56577 <-> ENABLED <-> MALWARE-CNC Lokibot outbound connection attempt (snort3-malware-cnc.rules)
 * 1:56578 <-> ENABLED <-> MALWARE-OTHER Lokibot download attempt (snort3-malware-other.rules)
 * 1:56579 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo Insight Smart Plug libUPnPHndlr.so stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:56603 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (snort3-malware-cnc.rules)
 * 1:56616 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (snort3-malware-cnc.rules)
 * 1:56611 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (snort3-malware-other.rules)
 * 1:56580 <-> DISABLED <-> POLICY-OTHER file URI redirect attempt (snort3-policy-other.rules)
 * 1:56581 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (snort3-malware-tools.rules)
 * 1:56582 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (snort3-malware-tools.rules)
 * 1:56583 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (snort3-malware-tools.rules)
 * 1:56584 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (snort3-malware-tools.rules)
 * 1:56585 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (snort3-malware-tools.rules)
 * 1:56586 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ServiceDesk Plus arbitrary JSP file upload attempt (snort3-server-webapp.rules)
 * 1:56587 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.SSLBeacon variant certificate exchange attempt (snort3-malware-cnc.rules)
 * 1:56592 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (snort3-malware-cnc.rules)
 * 1:56593 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (snort3-malware-cnc.rules)
 * 1:56594 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (snort3-malware-backdoor.rules)
 * 1:56595 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (snort3-malware-backdoor.rules)
 * 1:56596 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (snort3-malware-cnc.rules)
 * 1:56597 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (snort3-malware-cnc.rules)
 * 1:56598 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original inbound connection attempt (snort3-malware-cnc.rules)
 * 1:56599 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original stager outbound connection attempt (snort3-malware-cnc.rules)
 * 1:56600 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (snort3-malware-cnc.rules)
 * 1:56601 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Stager 2 download attempt (snort3-malware-cnc.rules)
 * 1:56602 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Server 3 inbound beacon attempt (snort3-malware-cnc.rules)
 * 1:56563 <-> DISABLED <-> SERVER-WEBAPP Apache Server mod_proxy Error Page cross site scripting attempt (snort3-server-webapp.rules)
 * 1:56604 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics NAV remote code execution attempt (snort3-server-webapp.rules)
 * 1:56565 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.AnchorBotDNS variant outbound ICMP connection (snort3-indicator-compromise.rules)
 * 1:56609 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (snort3-server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (snort3-server-webapp.rules)

2020-12-10 00:52:31 UTC

Snort Subscriber Rules Update

Date: 2020-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56613 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56607 <-> DISABLED <-> MALWARE-CNC potential Rat.Tool.CSBundleUSAToday connectivity check (malware-cnc.rules)
 * 1:56616 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56581 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56614 <-> DISABLED <-> MALWARE-BACKDOOR Cobalt Strike beacon connection attempt (malware-backdoor.rules)
 * 1:56617 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon inbound connection attempt (malware-cnc.rules)
 * 1:56608 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon inbound connection attempt (malware-other.rules)
 * 1:56567 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorbotDNS variant download attempt (malware-tools.rules)
 * 1:56605 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56563 <-> DISABLED <-> SERVER-WEBAPP Apache Server mod_proxy Error Page cross site scripting attempt (server-webapp.rules)
 * 1:56565 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.AnchorBotDNS variant outbound ICMP connection (indicator-compromise.rules)
 * 1:56566 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.AnchorInstaller variant download attempt (malware-tools.rules)
 * 1:56610 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56568 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Anchorbot variant download attempt (malware-tools.rules)
 * 1:56569 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.MemscraperDNS variant download attempt (malware-tools.rules)
 * 1:56570 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Memscraper variant download attempt (malware-tools.rules)
 * 1:56571 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 SET_INFO information disclosure attempt (os-windows.rules)
 * 1:56574 <-> DISABLED <-> BROWSER-OTHER Microsoft Teams mention functionality displayName remote code execution attempt (browser-other.rules)
 * 1:56577 <-> ENABLED <-> MALWARE-CNC Lokibot outbound connection attempt (malware-cnc.rules)
 * 1:56578 <-> ENABLED <-> MALWARE-OTHER Lokibot download attempt (malware-other.rules)
 * 1:56582 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56583 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56580 <-> DISABLED <-> POLICY-OTHER file URI redirect attempt (policy-other.rules)
 * 1:56584 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56585 <-> DISABLED <-> MALWARE-TOOLS GhostPack Rubeus kerberos request attempt (malware-tools.rules)
 * 1:56586 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ServiceDesk Plus arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:56587 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.SSLBeacon variant certificate exchange attempt (malware-cnc.rules)
 * 1:56592 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56593 <-> DISABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:56594 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56595 <-> DISABLED <-> MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt (malware-backdoor.rules)
 * 1:56596 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56597 <-> DISABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt (malware-cnc.rules)
 * 1:56598 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original inbound connection attempt (malware-cnc.rules)
 * 1:56599 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original stager outbound connection attempt (malware-cnc.rules)
 * 1:56600 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56601 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Stager 2 download attempt (malware-cnc.rules)
 * 1:56602 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original Server 3 inbound beacon attempt (malware-cnc.rules)
 * 1:56603 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt (malware-cnc.rules)
 * 1:56604 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics NAV remote code execution attempt (server-webapp.rules)
 * 1:56612 <-> DISABLED <-> MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt (malware-cnc.rules)
 * 1:56579 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo Insight Smart Plug libUPnPHndlr.so stack buffer overflow attempt (server-webapp.rules)
 * 1:56606 <-> ENABLED <-> MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt (malware-cnc.rules)
 * 1:56609 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerRatankba variant download attempt (malware-cnc.rules)
 * 1:56615 <-> DISABLED <-> MALWARE-CNC Cobalt Strike beacon outbound connection attempt (malware-cnc.rules)
 * 1:56611 <-> DISABLED <-> MALWARE-OTHER Cobalt Strike beacon outbound connection attempt (malware-other.rules)
 * 1:56292 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Crat malicious executable download (malware-other.rules)

Modified Rules:


 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)