Talos Rules 2022-12-13
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2022-44673: A coding deficiency exists in Microsoft Windows Client Server Run-time Subsystem (CSRSS) that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 60972 through 60973, Snort 3: GID 1, SID 300339.

Microsoft Vulnerability CVE-2022-44675: A coding deficiency exists in Microsoft Windows Bluetooth Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 60977 through 60978, Snort 3: GID 1, SID 300341.

Microsoft Vulnerability CVE-2022-44683: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 60974 through 60975, Snort 3: GID 1, SID 300340.

Talos also has added and modified multiple rules in the indicator-compromise, malware-cnc and protocol-scada rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 3:60983 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt (protocol-scada.rules)
 * 3:60984 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt (protocol-scada.rules)
 * 3:60985 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt (protocol-scada.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 3:60983 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt (protocol-scada.rules)
 * 3:60984 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt (protocol-scada.rules)
 * 3:60985 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt (protocol-scada.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 3:60985 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt (protocol-scada.rules)
 * 3:60983 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt (protocol-scada.rules)
 * 3:60984 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt (protocol-scada.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 3:60983 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt (protocol-scada.rules)
 * 3:60984 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt (protocol-scada.rules)
 * 3:60985 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt (protocol-scada.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 3:60983 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt (protocol-scada.rules)
 * 3:60984 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt (protocol-scada.rules)
 * 3:60985 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt (protocol-scada.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 3:60984 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt (protocol-scada.rules)
 * 3:60985 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt (protocol-scada.rules)
 * 3:60983 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt (protocol-scada.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 3:60983 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt (protocol-scada.rules)
 * 3:60984 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt (protocol-scada.rules)
 * 3:60985 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt (protocol-scada.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 3:60985 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt (protocol-scada.rules)
 * 3:60983 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt (protocol-scada.rules)
 * 3:60984 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt (protocol-scada.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 3:60985 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt (protocol-scada.rules)
 * 3:60983 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt (protocol-scada.rules)
 * 3:60984 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt (protocol-scada.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 3:60985 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt (protocol-scada.rules)
 * 3:60983 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt (protocol-scada.rules)
 * 3:60984 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt (protocol-scada.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 3:60985 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt (protocol-scada.rules)
 * 3:60983 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt (protocol-scada.rules)
 * 3:60984 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt (protocol-scada.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (snort3-malware-cnc.rules)
 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (snort3-malware-cnc.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (snort3-malware-cnc.rules)
 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (snort3-malware-cnc.rules)
 * 1:60976 <-> ENABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (snort3-indicator-compromise.rules)

Modified Rules:



2022-12-13 17:50:23 UTC

Snort Subscriber Rules Update

Date: 2022-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt (os-windows.rules)
 * 1:60982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected (malware-cnc.rules)
 * 1:60975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:60979 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60976 <-> DISABLED <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt (indicator-compromise.rules)
 * 1:60981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)
 * 1:60977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60978 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt (os-windows.rules)
 * 1:60980 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt (malware-cnc.rules)

Modified Rules:



2022-12-13 17:52:34 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:34 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:34 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:34 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:34 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:34 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:34 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:35 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:35 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:35 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:35 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:35 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:35 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:35 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:35 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:35 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:35 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules:



2022-12-13 17:52:35 UTC

Snort Subscriber Rules Update

Date: 2022-12-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300339 <-> OS-WINDOWS Microsoft Windows Client Server Run-Time Subsystem privilege escalation attempt
* 1:300340 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:300341 <-> OS-WINDOWS Microsoft Windows Bluetooth Driver privilege escalation attempt
* 1:60976 <-> INDICATOR-COMPROMISE VMware vSphere Client vROps plugin potential server side request forgery attempt
* 1:60979 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60980 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60981 <-> MALWARE-CNC Win.Trojan.FormBook malicious XLL outbound connection attempt
* 1:60982 <-> MALWARE-CNC Win.Ransomware.Royal variant network share readme file detected
* 3:60983 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1662 attack attempt
* 3:60984 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1661 attack attempt
* 3:60985 <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2022-1663 attack attempt

Modified Rules: