Talos Rules 2018-04-05
Talos is aware of a vulnerability affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-0986: A coding deficiency exists in Microsoft Malware Protection Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46163 through 46164.

Talos has also added and modified multiple rules in the file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-04-05 19:09:59 UTC

Snort Subscriber Rules Update

Date: 2018-04-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46164 <-> ENABLED <-> FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt (file-other.rules)
 * 1:46163 <-> ENABLED <-> FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt (file-other.rules)
 * 1:46162 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46161 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46160 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46159 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46158 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46156 <-> ENABLED <-> MALWARE-CNC Coldroot RAT outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:45749 <-> ENABLED <-> SERVER-WEBAPP PHPUnit PHP remote code execution attempt (server-webapp.rules)

2018-04-05 19:09:59 UTC

Snort Subscriber Rules Update

Date: 2018-04-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46163 <-> ENABLED <-> FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt (file-other.rules)
 * 1:46164 <-> ENABLED <-> FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt (file-other.rules)
 * 1:46158 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46159 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46161 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46162 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46156 <-> ENABLED <-> MALWARE-CNC Coldroot RAT outbound connection (malware-cnc.rules)
 * 1:46160 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45749 <-> ENABLED <-> SERVER-WEBAPP PHPUnit PHP remote code execution attempt (server-webapp.rules)

2018-04-05 19:09:59 UTC

Snort Subscriber Rules Update

Date: 2018-04-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46164 <-> ENABLED <-> FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt (snort3-file-other.rules)
 * 1:46156 <-> ENABLED <-> MALWARE-CNC Coldroot RAT outbound connection (snort3-malware-cnc.rules)
 * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (snort3-server-webapp.rules)
 * 1:46158 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (snort3-server-webapp.rules)
 * 1:46159 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (snort3-server-webapp.rules)
 * 1:46162 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46163 <-> ENABLED <-> FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt (snort3-file-other.rules)
 * 1:46160 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46161 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:45749 <-> ENABLED <-> SERVER-WEBAPP PHPUnit PHP remote code execution attempt (snort3-server-webapp.rules)

2018-04-05 19:09:59 UTC

Snort Subscriber Rules Update

Date: 2018-04-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46156 <-> ENABLED <-> MALWARE-CNC Coldroot RAT outbound connection (malware-cnc.rules)
 * 1:46162 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46158 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46159 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46163 <-> ENABLED <-> FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt (file-other.rules)
 * 1:46160 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46161 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46164 <-> ENABLED <-> FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:45749 <-> ENABLED <-> SERVER-WEBAPP PHPUnit PHP remote code execution attempt (server-webapp.rules)

2018-04-05 19:09:59 UTC

Snort Subscriber Rules Update

Date: 2018-04-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46164 <-> ENABLED <-> FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt (file-other.rules)
 * 1:46156 <-> ENABLED <-> MALWARE-CNC Coldroot RAT outbound connection (malware-cnc.rules)
 * 1:46161 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46158 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46159 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:46160 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46163 <-> ENABLED <-> FILE-OTHER Microsoft Windows Defender malformed RAR memory corruption attempt (file-other.rules)
 * 1:46162 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45749 <-> ENABLED <-> SERVER-WEBAPP PHPUnit PHP remote code execution attempt (server-webapp.rules)