Talos Rules 2017-06-13
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2017-0215: A coding deficiency exists in Microsoft Device Guard Code Integrity Policy that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43157 through 43158.

Microsoft Vulnerability CVE-2017-8464: A coding deficiency exists in Microsoft LNK that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 17042 and 24500.

Microsoft Vulnerability CVE-2017-8465: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43173 through 43174.

Microsoft Vulnerability CVE-2017-8466: A coding deficiency exists in Microsoft Windows Cursor that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43173 through 43174.

Microsoft Vulnerability CVE-2017-8468: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43173 through 43174.

Microsoft Vulnerability CVE-2017-8496: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43165 through 43166.

Microsoft Vulnerability CVE-2017-8497: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43169 through 43170.

Microsoft Vulnerability CVE-2017-8509: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43159 through 43160.

Microsoft Vulnerability CVE-2017-8510: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43171 through 43172.

Microsoft Vulnerability CVE-2017-8524: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43163 through 43164.

Microsoft Vulnerability CVE-2017-8529: Microsoft Edge and Microsoft Internet Explorer suffer from programming errors that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43161 through 43162.

Microsoft Vulnerability CVE-2017-8543: A coding deficiency exists in Microsoft Windows Search that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43175 through 43176.

Microsoft Vulnerability CVE-2017-8547: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43155 through 43156.

Talos has also added and modified multiple rules in the blacklist, browser-ie, file-office, file-other, file-pdf, malware-cnc, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-06-13 17:54:36 UTC

Snort Subscriber Rules Update

Date: 2017-06-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43152 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:43154 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43155 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:43158 <-> ENABLED <-> OS-WINDOWS Windows Device Guard code execution attempt (os-windows.rules)
 * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules)
 * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules)
 * 1:43161 <-> DISABLED <-> POLICY-OTHER Microsoft Browser iframe local file load attempt (policy-other.rules)
 * 1:43162 <-> DISABLED <-> POLICY-OTHER Microsoft Browser iframe local file load attempt (policy-other.rules)
 * 1:43163 <-> ENABLED <-> BROWSER-IE Microsoft Edge object property type confusion attempt (browser-ie.rules)
 * 1:43164 <-> ENABLED <-> BROWSER-IE Microsoft Edge object property type confusion attempt (browser-ie.rules)
 * 1:43165 <-> ENABLED <-> BROWSER-IE Microsoft Edge cssText use after free attempt (browser-ie.rules)
 * 1:43166 <-> ENABLED <-> BROWSER-IE Microsoft Edge cssText use after free attempt (browser-ie.rules)
 * 1:43169 <-> ENABLED <-> BROWSER-IE Microsoft Edge textContent use after free attempt (browser-ie.rules)
 * 1:43170 <-> ENABLED <-> BROWSER-IE Microsoft Edge textContent use after free attempt (browser-ie.rules)
 * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43176 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Search Service out of bounds memory access attempt (os-windows.rules)
 * 1:43157 <-> ENABLED <-> OS-WINDOWS Windows Device Guard code execution attempt (os-windows.rules)
 * 1:43177 <-> DISABLED <-> PROTOCOL-SCADA Siemens SIPROTEC V4.24 crafted packet denial of service attempt (protocol-scada.rules)
 * 1:43175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Search Service out of bounds memory access attempt (os-windows.rules)
 * 1:43174 <-> ENABLED <-> OS-WINDOWS Windows 10 RS2 x64 linked cursor double free attempt (os-windows.rules)
 * 1:43153 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43151 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43173 <-> ENABLED <-> OS-WINDOWS Windows 10 RS2 x64 linked cursor double free attempt (os-windows.rules)
 * 3:43167 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0361 attack attempt (file-pdf.rules)
 * 3:43168 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0361 attack attempt (file-pdf.rules)
 * 3:43150 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0362 attack attempt (server-other.rules)

Modified Rules:


 * 1:40782 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Venik (blacklist.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37245 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:24500 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:17042 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)

2017-06-13 17:54:36 UTC

Snort Subscriber Rules Update

Date: 2017-06-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43177 <-> DISABLED <-> PROTOCOL-SCADA Siemens SIPROTEC V4.24 crafted packet denial of service attempt (protocol-scada.rules)
 * 1:43176 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Search Service out of bounds memory access attempt (os-windows.rules)
 * 1:43175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Search Service out of bounds memory access attempt (os-windows.rules)
 * 1:43174 <-> ENABLED <-> OS-WINDOWS Windows 10 RS2 x64 linked cursor double free attempt (os-windows.rules)
 * 1:43173 <-> ENABLED <-> OS-WINDOWS Windows 10 RS2 x64 linked cursor double free attempt (os-windows.rules)
 * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43170 <-> ENABLED <-> BROWSER-IE Microsoft Edge textContent use after free attempt (browser-ie.rules)
 * 1:43169 <-> ENABLED <-> BROWSER-IE Microsoft Edge textContent use after free attempt (browser-ie.rules)
 * 1:43166 <-> ENABLED <-> BROWSER-IE Microsoft Edge cssText use after free attempt (browser-ie.rules)
 * 1:43165 <-> ENABLED <-> BROWSER-IE Microsoft Edge cssText use after free attempt (browser-ie.rules)
 * 1:43164 <-> ENABLED <-> BROWSER-IE Microsoft Edge object property type confusion attempt (browser-ie.rules)
 * 1:43163 <-> ENABLED <-> BROWSER-IE Microsoft Edge object property type confusion attempt (browser-ie.rules)
 * 1:43162 <-> DISABLED <-> POLICY-OTHER Microsoft Browser iframe local file load attempt (policy-other.rules)
 * 1:43161 <-> DISABLED <-> POLICY-OTHER Microsoft Browser iframe local file load attempt (policy-other.rules)
 * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules)
 * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules)
 * 1:43158 <-> ENABLED <-> OS-WINDOWS Windows Device Guard code execution attempt (os-windows.rules)
 * 1:43157 <-> ENABLED <-> OS-WINDOWS Windows Device Guard code execution attempt (os-windows.rules)
 * 1:43156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:43155 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:43154 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43153 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43152 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43151 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 3:43167 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0361 attack attempt (file-pdf.rules)
 * 3:43168 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0361 attack attempt (file-pdf.rules)
 * 3:43150 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0362 attack attempt (server-other.rules)

Modified Rules:


 * 1:40782 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Venik (blacklist.rules)
 * 1:37245 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:17042 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:24500 <-> DISABLED <-> FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt (file-other.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)