Talos Rules 2020-12-08
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2020-17096: A coding deficiency exists in NTFS that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56561 through 56562.

Microsoft Vulnerability CVE-2020-17121: A coding deficiency exists in Microsoft SharePoint that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 56560.

Microsoft Vulnerability CVE-2020-17144: A coding deficiency exists in Microsoft Exchange that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 56554.

Microsoft Vulnerability CVE-2020-17152: A coding deficiency exists in Microsoft Dynamics 365 for Finance and Operations (on-premises) that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 56558.

Microsoft Vulnerability CVE-2020-17158: A coding deficiency exists in Microsoft Dynamics 365 for Finance and Operations (on-premises) that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 56557.

Talos also has added and modified multiple rules in the file-multimedia, malware-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-12-08 18:34:47 UTC

Snort Subscriber Rules Update

Date: 2020-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56554 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server 2010 deserialization attempt (server-other.rules)
 * 1:56555 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56556 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56558 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56559 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint web.config access attempt (policy-other.rules)
 * 1:56560 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint external ImportWeb attempt (policy-other.rules)
 * 1:56561 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)

2020-12-08 18:34:47 UTC

Snort Subscriber Rules Update

Date: 2020-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56555 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56561 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56554 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server 2010 deserialization attempt (server-other.rules)
 * 1:56560 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint external ImportWeb attempt (policy-other.rules)
 * 1:56559 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint web.config access attempt (policy-other.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56558 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56556 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)

2020-12-08 18:34:47 UTC

Snort Subscriber Rules Update

Date: 2020-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56556 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56560 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint external ImportWeb attempt (policy-other.rules)
 * 1:56558 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56554 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server 2010 deserialization attempt (server-other.rules)
 * 1:56559 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint web.config access attempt (policy-other.rules)
 * 1:56555 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56561 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)

Modified Rules:


 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)

2020-12-08 18:34:47 UTC

Snort Subscriber Rules Update

Date: 2020-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56554 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server 2010 deserialization attempt (server-other.rules)
 * 1:56562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56558 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56559 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint web.config access attempt (policy-other.rules)
 * 1:56555 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56561 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56556 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56560 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint external ImportWeb attempt (policy-other.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)

2020-12-08 18:34:47 UTC

Snort Subscriber Rules Update

Date: 2020-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56554 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server 2010 deserialization attempt (server-other.rules)
 * 1:56561 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56556 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56558 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56555 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56559 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint web.config access attempt (policy-other.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56560 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint external ImportWeb attempt (policy-other.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)

2020-12-08 18:34:47 UTC

Snort Subscriber Rules Update

Date: 2020-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56559 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint web.config access attempt (policy-other.rules)
 * 1:56554 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server 2010 deserialization attempt (server-other.rules)
 * 1:56555 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56560 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint external ImportWeb attempt (policy-other.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56561 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56558 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56556 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)

2020-12-08 18:34:47 UTC

Snort Subscriber Rules Update

Date: 2020-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56561 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56554 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server 2010 deserialization attempt (server-other.rules)
 * 1:56562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56559 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint web.config access attempt (policy-other.rules)
 * 1:56556 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56560 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint external ImportWeb attempt (policy-other.rules)
 * 1:56558 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56555 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)

2020-12-08 18:34:47 UTC

Snort Subscriber Rules Update

Date: 2020-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56558 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56556 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56554 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server 2010 deserialization attempt (server-other.rules)
 * 1:56559 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint web.config access attempt (policy-other.rules)
 * 1:56561 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56560 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint external ImportWeb attempt (policy-other.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56555 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)

Modified Rules:


 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2020-12-08 18:34:47 UTC

Snort Subscriber Rules Update

Date: 2020-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56554 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server 2010 deserialization attempt (snort3-server-other.rules)
 * 1:56559 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint web.config access attempt (snort3-policy-other.rules)
 * 1:56562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (snort3-os-windows.rules)
 * 1:56556 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (snort3-malware-other.rules)
 * 1:56558 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (snort3-server-webapp.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (snort3-server-webapp.rules)
 * 1:56561 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (snort3-os-windows.rules)
 * 1:56560 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint external ImportWeb attempt (snort3-policy-other.rules)
 * 1:56555 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (snort3-server-other.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules)

2020-12-08 18:34:47 UTC

Snort Subscriber Rules Update

Date: 2020-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56558 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56556 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56554 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server 2010 deserialization attempt (server-other.rules)
 * 1:56557 <-> DISABLED <-> SERVER-WEBAPP Microsoft Dynamics365 Finance and Operations remote code execution attempt (server-webapp.rules)
 * 1:56559 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint web.config access attempt (policy-other.rules)
 * 1:56555 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.RegretLocker malicious executable download attempt (malware-other.rules)
 * 1:56561 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB authenticated remote code execution attempt (os-windows.rules)
 * 1:56560 <-> DISABLED <-> POLICY-OTHER Microsoft SharePoint external ImportWeb attempt (policy-other.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)