Talos Rules 2022-11-08
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2022-41057: A coding deficiency exists in Microsoft Windows HTTP.sys that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 60822 through 60823, Snort 3: GID 1, SID 300312.

Microsoft Vulnerability CVE-2022-41096: A coding deficiency exists in Microsoft DWM Core Library that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 60820 through 60821, Snort 3: GID 1, SID 300311.

Microsoft Vulnerability CVE-2022-41109: A coding deficiency exists in Microsoft Windows Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 60815 through 60816, Snort 3: GID 1, SID 300309.

Microsoft Vulnerability CVE-2022-41113: A coding deficiency exists in Microsoft Windows Win32k Kernel Subsystem that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 60818 through 60819, Snort 3: GID 1, SID 300310.

Microsoft Vulnerability CVE-2022-41118: A coding deficiency exists in Microsoft Windows Scripting Languages that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 60833 through 60834, Snort 3: GID 1, SID 300316.

Microsoft Vulnerability CVE-2022-41125: A coding deficiency exists in Microsoft Windows CNG Key Isolation Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 60831 through 60832, Snort 3: GID 1, SID 300315.

Talos also has added and modified multiple rules in the browser-ie, file-other, malware-cnc and os-windows rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 3:60805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60811 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)
 * 3:60812 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 3:60805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60811 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)
 * 3:60812 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 3:60805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60811 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)
 * 3:60812 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 3:60805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60811 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)
 * 3:60812 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 3:60805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60811 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)
 * 3:60812 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 3:60805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60811 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)
 * 3:60812 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 3:60805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60811 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)
 * 3:60812 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 3:60805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60811 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)
 * 3:60812 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 3:60805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60811 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)
 * 3:60812 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 3:60805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60811 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)
 * 3:60812 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 3:60805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt (file-other.rules)
 * 3:60807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt (file-other.rules)
 * 3:60809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt (file-other.rules)
 * 3:60811 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)
 * 3:60812 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt (file-other.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt (snort3-malware-cnc.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (snort3-malware-cnc.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (snort3-malware-cnc.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (snort3-malware-cnc.rules)

Modified Rules:



2022-11-08 19:47:11 UTC

Snort Subscriber Rules Update

Date: 2022-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60822 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60813 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60826 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60831 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60824 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt (malware-cnc.rules)
 * 1:60815 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60818 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60814 <-> DISABLED <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt (file-other.rules)
 * 1:60832 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt (os-windows.rules)
 * 1:60819 <-> DISABLED <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt (os-windows.rules)
 * 1:60820 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60821 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt (os-windows.rules)
 * 1:60834 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60829 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)
 * 1:60817 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection (malware-cnc.rules)
 * 1:60827 <-> DISABLED <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt (os-windows.rules)
 * 1:60833 <-> DISABLED <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt (browser-ie.rules)
 * 1:60825 <-> ENABLED <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt (malware-cnc.rules)
 * 1:60823 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt (os-windows.rules)
 * 1:60816 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:60828 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hoaxshell outbound connection attempt (malware-cnc.rules)
 * 1:60830 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt (malware-other.rules)

Modified Rules:



2022-11-08 19:49:06 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules:



2022-11-08 19:49:07 UTC

Snort Subscriber Rules Update

Date: 2022-11-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300308 <-> FILE-OTHER GIGABYTE GPCIDrv and GDrv driver privilege escalation attempt
* 1:300309 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt
* 1:300310 <-> OS-WINDOWS Windows Win32 Kernel subsystem elevation of privilege attempt
* 1:300311 <-> OS-WINDOWS Microsoft Windows DWM core library elevation of privilege attempt
* 1:300312 <-> OS-WINDOWS Microsoft Windows HTTP.sys elevation of privilege attempt
* 1:300313 <-> OS-WINDOWS GIGABYTE GPCI and GIO driver privilege escalation attempt
* 1:300314 <-> MALWARE-OTHER Win.Backdoor.Hoaxshell payload template download attempt
* 1:300315 <-> OS-WINDOWS Microsoft Windows CNG Key Isolation Service elevation of privilege attempt
* 1:300316 <-> BROWSER-IE Microsoft Windows Scripting Engine use-after-free attempt
* 3:60805 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60806 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1644 attack attempt
* 3:60807 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60808 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1648 attack attempt
* 3:60809 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60810 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1649 attack attempt
* 3:60811 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 3:60812 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1647 attack attempt
* 1:60817 <-> MALWARE-CNC Unix.Trojan.RedXOR variant outbound connection
* 1:60824 <-> MALWARE-CNC Php.Webshell.GReatPost outbound connection attempt
* 1:60825 <-> MALWARE-CNC Php.Webshell.GReatPost inbound connection attempt
* 1:60828 <-> MALWARE-CNC Win.Backdoor.Hoaxshell connection attempt

Modified Rules: