Talos Rules 2019-01-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-pdf, malware-cnc, malware-other and policy-spam rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-01-17 15:36:51 UTC

Snort Subscriber Rules Update

Date: 2019-01-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48894 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules)
 * 1:48898 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:48891 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48893 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48869 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Agent variant inbound payload download (malware-other.rules)
 * 1:48866 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48867 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48890 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48899 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:48895 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules)
 * 1:48897 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt (file-pdf.rules)
 * 1:48896 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt (file-pdf.rules)
 * 1:48878 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48877 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48874 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48875 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48876 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48870 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Agent variant inbound payload download (malware-other.rules)
 * 1:48871 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz inbound payload download (malware-other.rules)
 * 1:48872 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48868 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48888 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt (file-pdf.rules)
 * 1:48889 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt (file-pdf.rules)
 * 1:48886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48881 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48880 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48879 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48892 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48513 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)

2019-01-17 15:36:51 UTC

Snort Subscriber Rules Update

Date: 2019-01-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48895 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules)
 * 1:48894 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules)
 * 1:48893 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48897 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt (file-pdf.rules)
 * 1:48898 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:48866 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48867 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48881 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48879 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48896 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt (file-pdf.rules)
 * 1:48883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48888 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt (file-pdf.rules)
 * 1:48889 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt (file-pdf.rules)
 * 1:48890 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48891 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48869 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Agent variant inbound payload download (malware-other.rules)
 * 1:48870 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Agent variant inbound payload download (malware-other.rules)
 * 1:48871 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz inbound payload download (malware-other.rules)
 * 1:48868 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48880 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48872 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48874 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48875 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48876 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48877 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48899 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:48892 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48878 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48513 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)

2019-01-17 15:36:51 UTC

Snort Subscriber Rules Update

Date: 2019-01-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48893 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (snort3-file-pdf.rules)
 * 1:48889 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:48899 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (snort3-browser-ie.rules)
 * 1:48898 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (snort3-browser-ie.rules)
 * 1:48897 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt (snort3-file-pdf.rules)
 * 1:48866 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48896 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt (snort3-file-pdf.rules)
 * 1:48895 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (snort3-policy-spam.rules)
 * 1:48867 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48878 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:48879 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (snort3-malware-cnc.rules)
 * 1:48876 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:48877 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:48874 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:48875 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:48872 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:48870 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Agent variant inbound payload download (snort3-malware-other.rules)
 * 1:48871 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz inbound payload download (snort3-malware-other.rules)
 * 1:48869 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Agent variant inbound payload download (snort3-malware-other.rules)
 * 1:48865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48868 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48894 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (snort3-policy-spam.rules)
 * 1:48892 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (snort3-file-pdf.rules)
 * 1:48890 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (snort3-file-pdf.rules)
 * 1:48891 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (snort3-file-pdf.rules)
 * 1:48888 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:48886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (snort3-malware-cnc.rules)
 * 1:48887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (snort3-malware-cnc.rules)
 * 1:48884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (snort3-malware-cnc.rules)
 * 1:48885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (snort3-malware-cnc.rules)
 * 1:48882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (snort3-malware-cnc.rules)
 * 1:48883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (snort3-malware-cnc.rules)
 * 1:48880 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (snort3-malware-cnc.rules)
 * 1:48881 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (snort3-malware-cnc.rules)

Modified Rules:


 * 1:48513 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
 * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (snort3-malware-tools.rules)
 * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (snort3-malware-tools.rules)

2019-01-17 15:36:51 UTC

Snort Subscriber Rules Update

Date: 2019-01-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48892 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48898 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:48897 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt (file-pdf.rules)
 * 1:48896 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt (file-pdf.rules)
 * 1:48865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48895 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules)
 * 1:48894 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules)
 * 1:48866 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48893 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48899 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:48891 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48889 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt (file-pdf.rules)
 * 1:48890 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48888 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt (file-pdf.rules)
 * 1:48885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48881 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48879 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48880 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48877 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48878 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48875 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48876 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48874 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48871 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz inbound payload download (malware-other.rules)
 * 1:48872 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48869 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Agent variant inbound payload download (malware-other.rules)
 * 1:48870 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Agent variant inbound payload download (malware-other.rules)
 * 1:48868 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48867 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:48513 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)

2019-01-17 15:36:51 UTC

Snort Subscriber Rules Update

Date: 2019-01-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48870 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Agent variant inbound payload download (malware-other.rules)
 * 1:48869 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Agent variant inbound payload download (malware-other.rules)
 * 1:48868 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48867 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48866 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48891 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48890 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48889 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt (file-pdf.rules)
 * 1:48888 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bounds read attempt (file-pdf.rules)
 * 1:48887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ServHelper outbound connection (malware-cnc.rules)
 * 1:48882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48881 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48880 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48879 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedGrace outbound connection (malware-cnc.rules)
 * 1:48878 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48877 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48876 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48875 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48874 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection (malware-cnc.rules)
 * 1:48872 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48871 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz inbound payload download (malware-other.rules)
 * 1:48899 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:48898 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:48897 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt (file-pdf.rules)
 * 1:48896 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF getLegalWarnings use-after-free attempt (file-pdf.rules)
 * 1:48895 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules)
 * 1:48894 <-> DISABLED <-> POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt (policy-spam.rules)
 * 1:48893 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)
 * 1:48892 <-> ENABLED <-> FILE-PDF Adobe Reader XPS embedded font out-of-bounds vulnerability attempt (file-pdf.rules)

Modified Rules:


 * 1:48513 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)
 * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules)