Cisco Talos Update for FireSIGHT Management Center

Date: 2019-05-14

This SRU number: 2019-05-14-001
Previous SRU number: 2019-05-08-001

Applies to:

This SEU number: 2012
Previous SEU: 2010

Applies to:

This is the complete list of rules added in SRU 2019-05-14-001 and SEU 2012.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Cisco Talos policy, Connectivity, Balanced, Security, and Maximum Detection.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.Max.
150065MALWARE-CNCWin.Trojan.Robinhood malicious executable download attemptoffdropdropdrop
150066MALWARE-CNCWin.Trojan.Robinhood malicious executable download attemptoffdropdropdrop
150067MALWARE-CNCWin.Trojan.CrackXTSR variant outbound response attemptoffdropdropdrop
150068OS-WINDOWSMicrosoft Windows arbitrary registry access privilege escalation attemptoffdropdropdrop
150069OS-WINDOWSMicrosoft Windows arbitrary registry access privilege escalation attemptoffdropdropdrop
150070BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150071BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150072BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150073BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150074BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150075BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150076BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150077BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150078BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150079BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150080BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150081BROWSER-IEMicrosoft Edge memory corruption attemptoffdropdropdrop
150082BROWSER-IEMicrosoft Internet Explorer memory corruption attemptoffdropdropdrop
150083BROWSER-IEMicrosoft Internet Explorer memory corruption attemptoffdropdropdrop
150084OS-WINDOWSWindows Kernel Registry Virtualization privilege escalation attemptoffoffdropdrop
150085OS-WINDOWSWindows Kernel Registry Virtualization privilege escalation attemptoffoffdropdrop
150086FILE-OFFICEMicrosoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attemptoffoffdropdrop
150087FILE-OFFICEMicrosoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attemptoffoffdropdrop
150088FILE-IMAGEMicrosoft Windows OLE Load Picture remote code execution attemptoffdropdropdrop
150089FILE-IMAGEMicrosoft Windows OLE Load Picture remote code execution attemptoffdropdropdrop
150090OS-WINDOWSMicrosoft Windows NDIS elevation of privilege attemptoffoffdropdrop
150091OS-WINDOWSMicrosoft Windows NDIS elevation of privilege attemptoffoffdropdrop
150092MALWARE-CNCWin.Trojan.Filensfer connection attemptoffdropdropdrop
150107MALWARE-CNCWin.Trojan.Agent variant outbound cnc connectionoffdropdropdrop
150108MALWARE-CNCWin.Trojan.Agent variant outbound cnc connectionoffdropdropdrop
150109MALWARE-CNCWin.Trojan.Agent variant outbound cnc connectionoffdropdropdrop
350110SERVER-WEBAPPTRUFFLEHUNTER TALOS-2019-0836 attack attemptoffoffoffdrop
150112MALWARE-OTHERWin.Ransomware.Agent ransom note transfer over SMBoffdropdropdrop
150113MALWARE-OTHERWin.Ransomware.MegaLocker ransom note transfer over SMBoffdropdropdrop
350114SERVER-WEBAPPTRUFFLEHUNTER TALOS-2019-0833 attack attemptoffoffoffdrop
150115OS-WINDOWSMicrosoft Windows Error Reporting elevation of privilege attemptoffdropdropdrop
150116OS-WINDOWSMicrosoft Windows Error Reporting elevation of privilege attemptoffdropdropdrop
350117SERVER-WEBAPPCisco IOS XE Web UI command injection attemptoffoffdropdrop
350118SERVER-WEBAPPCisco IOS XE Web UI command injection attemptoffoffdropdrop
150119FILE-OTHERWindows GDI font out-of-bounds read attemptoffoffdropdrop
150120FILE-OTHERWindows GDI font out-of-bounds read attemptoffoffdropdrop
150121OS-WINDOWSMicrosoft Windows TrueType font parsing integer underflow attemptoffoffdropdrop
150122OS-WINDOWSMicrosoft Windows TrueType font parsing integer underflow attemptoffoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.Max.
150093INDICATOR-COMPROMISEResponder poisoner HTTP attack attemptoffdropdropdrop
150094INDICATOR-COMPROMISEResponder poisoner HTTP attack attemptoffdropdropdrop
150095INDICATOR-COMPROMISEResponder poisoner self-signed certificate attemptoffdropdropdrop
150096INDICATOR-COMPROMISEResponder poisoner toolkit download attemptoffdropdropdrop
150097INDICATOR-COMPROMISEResponder poisoner HTTP attack attemptoffdropdropdrop
150098INDICATOR-COMPROMISEResponder poisoner HTTP attack attemptoffdropdropdrop
150099INDICATOR-COMPROMISEResponder poisoner HTTP attack attemptoffdropdropdrop
150100INDICATOR-COMPROMISEResponder poisoner SMTP attack attemptoffdropdropdrop
150101INDICATOR-COMPROMISEResponder poisoner MSSQL attack attemptoffdropdropdrop
150102INDICATOR-COMPROMISEResponder poisoner LDAP attack attemptoffdropdropdrop
150103INDICATOR-COMPROMISEResponder poisoner SMB negotiation attack attemptoffdropdropdrop
150104INDICATOR-COMPROMISEResponder poisoner SMB negotiation attack attemptoffdropdropdrop
150105INDICATOR-COMPROMISEResponder poisoner SMB negotiation attack attemptoffdropdropdrop
150106INDICATOR-COMPROMISEResponder poisoner SMB attack attemptoffdropdropdrop
350111SERVER-WEBAPPTRUFFLEHUNTER TALOS-2019-0839 attack attemptoffoffoffdrop