Talos Rules 2021-06-08
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2021-31199: A coding deficiency exists in Microsoft Enhanced Cryptographic Provider that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57724 through 57725.

Microsoft Vulnerability CVE-2021-31201: A coding deficiency exists in Microsoft Enhanced Cryptographic Provider that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57730 through 57731.

Microsoft Vulnerability CVE-2021-31952: A coding deficiency exists in Microsoft Windows Kernel-Mode Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57722 through 57723.

Microsoft Vulnerability CVE-2021-31954: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57734 through 57735.

Microsoft Vulnerability CVE-2021-31955: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57726 through 57727.

Microsoft Vulnerability CVE-2021-31956: A coding deficiency exists in Microsoft Windows NTFS that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57732 through 57733.

Microsoft Vulnerability CVE-2021-31959: A coding deficiency exists in Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 49388 through 49389.

Microsoft Vulnerability CVE-2021-33739: A coding deficiency exists in Microsoft DWM Core Library that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57736 through 57737.

Talos also has added and modified multiple rules in the browser-ie, file-other, malware-backdoor and os-windows rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2021-06-08 17:35:10 UTC

Snort Subscriber Rules Update

Date: 2021-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57721 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt (malware-backdoor.rules)
 * 1:57722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57732 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57733 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 3:57729 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)
 * 3:57728 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)

Modified Rules:


 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

2021-06-08 17:35:10 UTC

Snort Subscriber Rules Update

Date: 2021-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57721 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt (malware-backdoor.rules)
 * 1:57730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57732 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57733 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 3:57728 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)
 * 3:57729 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)

Modified Rules:


 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

2021-06-08 17:35:10 UTC

Snort Subscriber Rules Update

Date: 2021-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57721 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt (malware-backdoor.rules)
 * 1:57733 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57732 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 3:57729 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)
 * 3:57728 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)

Modified Rules:


 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

2021-06-08 17:35:10 UTC

Snort Subscriber Rules Update

Date: 2021-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57721 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt (malware-backdoor.rules)
 * 1:57725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57732 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57733 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 3:57728 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)
 * 3:57729 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)

Modified Rules:


 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

2021-06-08 17:35:10 UTC

Snort Subscriber Rules Update

Date: 2021-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57721 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt (malware-backdoor.rules)
 * 1:57723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57733 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57732 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 3:57728 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)
 * 3:57729 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)

Modified Rules:


 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

2021-06-08 17:35:10 UTC

Snort Subscriber Rules Update

Date: 2021-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57721 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt (malware-backdoor.rules)
 * 1:57723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57733 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57732 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 3:57728 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)
 * 3:57729 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)

Modified Rules:


 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

2021-06-08 17:35:10 UTC

Snort Subscriber Rules Update

Date: 2021-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57733 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57732 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57721 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt (malware-backdoor.rules)
 * 1:57725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 3:57728 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)
 * 3:57729 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)

Modified Rules:


 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

2021-06-08 17:35:10 UTC

Snort Subscriber Rules Update

Date: 2021-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57732 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57721 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt (malware-backdoor.rules)
 * 1:57736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57733 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 3:57729 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)
 * 3:57728 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)

Modified Rules:


 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

2021-06-08 17:35:10 UTC

Snort Subscriber Rules Update

Date: 2021-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57733 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57732 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57721 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt (malware-backdoor.rules)
 * 1:57725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 3:57729 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)
 * 3:57728 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)

Modified Rules:


 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

2021-06-08 17:35:10 UTC

Snort Subscriber Rules Update

Date: 2021-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57721 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt (snort3-malware-backdoor.rules)
 * 1:57723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (snort3-os-windows.rules)
 * 1:57735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:57727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:57724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (snort3-os-windows.rules)
 * 1:300033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (snort3-native.rules)
 * 1:300032 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (snort3-native.rules)
 * 1:57726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:57736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (snort3-os-windows.rules)
 * 1:57725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (snort3-os-windows.rules)
 * 1:57722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (snort3-os-windows.rules)
 * 1:57737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (snort3-os-windows.rules)
 * 1:57730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (snort3-os-windows.rules)
 * 1:57731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (snort3-os-windows.rules)
 * 1:57732 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (snort3-os-windows.rules)
 * 1:57733 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (snort3-os-windows.rules)
 * 1:57734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)

2021-06-08 17:35:10 UTC

Snort Subscriber Rules Update

Date: 2021-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57732 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57733 <-> DISABLED <-> OS-WINDOWS Windows NTFS elevation of privilege attempt (os-windows.rules)
 * 1:57721 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt (malware-backdoor.rules)
 * 1:57735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt (os-windows.rules)
 * 1:57722 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57723 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:57724 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt (os-windows.rules)
 * 1:57726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57727 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:57730 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 1:57736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt (os-windows.rules)
 * 1:57731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt (os-windows.rules)
 * 3:57728 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)
 * 3:57729 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1308 attack attempt (file-other.rules)

Modified Rules:


 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

2021-06-08 17:38:46 UTC

Snort Subscriber Rules Update

Date: 2021-06-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300032 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:300033 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:57721 <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt
* 1:57722 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57723 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57724 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57725 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57726 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57727 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57730 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57731 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57732 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57733 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57734 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57735 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57736 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt
* 1:57737 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt

Modified Rules:

* 1:49388 <-> BROWSER-IE Microsoft Edge memory corruption attempt
* 1:49389 <-> BROWSER-IE Microsoft Edge memory corruption attempt


2021-06-08 17:38:46 UTC

Snort Subscriber Rules Update

Date: 2021-06-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300032 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:300033 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:57721 <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt
* 1:57722 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57723 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57724 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57725 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57726 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57727 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57730 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57731 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57732 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57733 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57734 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57735 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57736 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt
* 1:57737 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt

Modified Rules:

* 1:49388 <-> BROWSER-IE Microsoft Edge memory corruption attempt
* 1:49389 <-> BROWSER-IE Microsoft Edge memory corruption attempt


2021-06-08 17:38:46 UTC

Snort Subscriber Rules Update

Date: 2021-06-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300032 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:300033 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:57721 <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt
* 1:57722 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57723 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57724 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57725 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57726 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57727 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57730 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57731 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57732 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57733 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57734 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57735 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57736 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt
* 1:57737 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt

Modified Rules:

* 1:49388 <-> BROWSER-IE Microsoft Edge memory corruption attempt
* 1:49389 <-> BROWSER-IE Microsoft Edge memory corruption attempt


2021-06-08 17:38:46 UTC

Snort Subscriber Rules Update

Date: 2021-06-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300032 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:300033 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:57721 <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt
* 1:57722 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57723 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57724 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57725 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57726 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57727 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57730 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57731 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57732 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57733 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57734 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57735 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57736 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt
* 1:57737 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt

Modified Rules:

* 1:49388 <-> BROWSER-IE Microsoft Edge memory corruption attempt
* 1:49389 <-> BROWSER-IE Microsoft Edge memory corruption attempt


2021-06-08 17:38:46 UTC

Snort Subscriber Rules Update

Date: 2021-06-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300032 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:300033 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:57721 <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt
* 1:57722 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57723 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57724 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57725 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57726 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57727 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57730 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57731 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57732 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57733 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57734 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57735 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57736 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt
* 1:57737 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt

Modified Rules:

* 1:49388 <-> BROWSER-IE Microsoft Edge memory corruption attempt
* 1:49389 <-> BROWSER-IE Microsoft Edge memory corruption attempt


2021-06-08 17:38:46 UTC

Snort Subscriber Rules Update

Date: 2021-06-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300032 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:300033 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:57721 <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt
* 1:57722 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57723 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57724 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57725 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57726 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57727 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57730 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57731 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57732 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57733 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57734 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57735 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57736 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt
* 1:57737 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt

Modified Rules:

* 1:49388 <-> BROWSER-IE Microsoft Edge memory corruption attempt
* 1:49389 <-> BROWSER-IE Microsoft Edge memory corruption attempt


2021-06-08 17:38:47 UTC

Snort Subscriber Rules Update

Date: 2021-06-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300032 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:300033 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:57721 <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt
* 1:57722 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57723 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57724 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57725 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57726 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57727 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57730 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57731 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57732 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57733 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57734 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57735 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57736 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt
* 1:57737 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt

Modified Rules:

* 1:49388 <-> BROWSER-IE Microsoft Edge memory corruption attempt
* 1:49389 <-> BROWSER-IE Microsoft Edge memory corruption attempt


2021-06-08 17:38:47 UTC

Snort Subscriber Rules Update

Date: 2021-06-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300032 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:300033 <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection
* 1:57721 <-> MALWARE-BACKDOOR Win.Trojan.Moserpass outbound request attempt
* 1:57722 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57723 <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt
* 1:57724 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57725 <-> OS-WINDOWS Microsoft Windows cryptographic API integer overflow attempt
* 1:57726 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57727 <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt
* 1:57730 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57731 <-> OS-WINDOWS Microsoft Windows dssenh.dll privilege escalation attempt
* 1:57732 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57733 <-> OS-WINDOWS Windows NTFS elevation of privilege attempt
* 1:57734 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57735 <-> OS-WINDOWS Microsoft Windows common log file system driver elevation of privilege attempt
* 1:57736 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt
* 1:57737 <-> OS-WINDOWS Microsoft Windows Dynamic Window Manager privilege escalation attempt

Modified Rules:

* 1:49388 <-> BROWSER-IE Microsoft Edge memory corruption attempt
* 1:49389 <-> BROWSER-IE Microsoft Edge memory corruption attempt