Proofpointmanageengine

2016SIEMContentandParsingUpdates2555555666666677777888999101010101011111111111212121212131313131314141415151515151516161617171718181818181818TableofContentsTableofContentsSIEMDataSourcesJanuary21,2016February10,2016February16,2016February26,2016March25,2016June2,2016June8,2016July19,2016August04,2016August11,2016August15,2016September1,2016September2,2016September26,2016October12,2016October13,2016November7,2016November10,2016November11,2016December2,2016SIEMCustomTypesOctober13,2016October25,2016SIEMParsingRulesJanuary8,2015January12,2016January13,2016January21,2016January22,2016January25,2016January29,2016January29,2016February4,2016February8,2016February10,2016February11,2016February16,2016February17,2016February19,2016February23,2016February24,2016February25,2016February26,2016February29,2016March2,2016March3,2016March7,2016March8,2016March9,2016March11,2016March14,2016March16,2016March17,2016March18,2016March21,2016March24,2016March25,2016March29,2016March30,2016March31,2016April01,2016April04,2016April07,2016April08,2016April21,2016219191919191919191920202121212121212222222222222323242424242424242425252525252526262626272727272727272828282828282829293030303030303131313131313232April26,2016May3,2016May5,2016May5,2016May9,2016May11,2016May16,2016May18,2016May23,2016May24,2016May25,2016May26,2016May27,2016June2,2016June06,2016June08,2016June13,2016June15,2016June17,2016June20,2016June23,2016June28,2016June30,2016July07,2016July08,2016July11,2016July12,2016July13,2016July15,2016July19,2016July22,2016July25,2016August02,2016August04,2016August11,2016August15,2016August22,2016August24,2016September1,2016September2,2016September15,2016September19,2016September23,2016September26,2016October5,2016October12,2016October13,2016October25,2016October28,2016November2,2016November7,2016November9,2016November10,2016November11,2016December2,2016December5,2016December14,2016December15,2016December16,2016ContentPacksFebruary3,2016February4,2016February18,2016April13,2016April18,2016May20,2016May31,2016June2,2016July12,2016August9,2016September15,2016September27,2016September30,201633233333435353739404041November2,2016IPSRulesJanuary12,2016January14,2016January15,2016February9,2016March8,2016March17,2016March23,2016April13,2016May20,20164January21,2016NewDataSourceVendor:SSHCommunicationsSecurityProduct:CryptoAuditorCollector:SyslogParser:ASPDeviceID:554Version:ESM9.
4.
1andaboveNotes:February10,2016NewDataSourceVendor:IBMProduct:ISSSiteProtector-LEEFCollector:SyslogParser:ASPDeviceID:555Version:ESM9.
5.
0andaboveNotes:ParsesLEEFformattedeventsreceivedoversyslog.
February16,2016NewDataSourceVendor:MicrosoftProduct:InternetAuthenticationService-DatabaseCompatibleFormatCollector:FilePull/SyslogParser:ASPDeviceID:556Version:ESM9.
5.
2andaboveNotes:Parsesdatabase-compatibleformattedlogfiles.
ParsedeventsusesignatureIDsassociatedwithdatasourceID407.
February26,2016ModifiedDataSourceVendor:OracleProduct:OracleAudit-SQLPull(ASP)Collector:SQLParser:ASPDeviceID:470Version:ESM9.
4.
2andaboveNotes:UpdatedtosupportpullingAuditeventsfromOracle12c.
NewDataSourceVendor:PrevotyProduct:PrevotyCollector:SyslogParser:ASPDeviceID:557Version:ESM9.
5.
1andaboveNotes:SyslogsupportrequirestheuseofLog4jonPrevoty.
March25,2016NewDataSourceVendor:WurldtechProduct:OpShieldCollector:SyslogParser:ASPDeviceID:558Version:ESM9.
4.
1andaboveNotes:SIEMDataSources5June2,2016NewDataSourceVendor:IntersetProduct:IntersetCollector:SyslogParser:ASPDeviceID:560Version:ESM9.
5.
1andaboveNotes:RequiresIntersetversion4.
1orgreater.
June8,2016NewDataSourceVendor:GlobalscapeProduct:GlobalscapeEFTCollector:MEFParser:ASPDeviceID:561Version:ESM9.
4.
1andabove.
Notes:NewDataSourceVendor:BlueCoatProduct:ReporterCollector:FileParser:ASPDeviceID:562Version:ESM9.
5.
0andabove.
Notes:AddedsupportforBlueCoatReporter9.
5.
1CloudAccesslogs.
July19,2016NewDataSourceVendor:PhishMeProduct:PhishMeIntelligenceCollector:SyslogParser:ASPDeviceID:563Version:ESM9.
5.
0andabove.
August04,2016NewDataSourceVendor:MalwarebytesProduct:BreachRemediationCollector:SyslogParser:ASPDeviceID:564Version:ESM9.
5.
0andaboveNotes:CEFformatissupported.
August11,2016NewDataSourceVendor:MalwarebytesProduct:ManagementConsoleCollector:SyslogParser:ASPDeviceID:565Version:ESM9.
5.
0andaboveNotes:ManagementConsoleversion1.
7,partofMalwarebytesEnterpriseEndpointSecurity,sendssecurityeventsgeneratedbyMalwarebytesAnti-MalwareandMalwarebytesAnti-Exploitrunningonmanagedendpoints.
CEFformattedsyslogissupportedbyESM.
August15,2016NewDataSourcesVendor:CyberArkProduct:PrivilagedThreatAnalyticsCollector:SyslogParser:ASPDeviceID:566Version:ESM9.
5.
0andaboveNotes:CEFformatissupportedfromPTAversion3.
1September1,2016NewDataSourcesVendor:SkyhighNetworksProduct:CloudSecurityPlatformCollector:SyslogParser:ASPDeviceID:567Version:ESM9.
5.
1andaboveNotes:RequiresSkyhighEnterpriseConnector.
CEFformatissupported.
Skyhighversion2.
2andaboveissupportedbyESM.
Vendor:NiaraProduct:NiaraCollector:SyslogParser:ASPDeviceID:568Version:ESM9.
5.
0andaboveNotes:Niaraversion1.
5andaboveissupportedbyESM.
6Vendor:TrapXSecurityProduct:DeceptionGridCollector:SyslogParser:ASPDeviceID:569Version:ESM9.
5.
0andaboveNotes:September2,2016NewDataSourcesVendor:AttivoNetworksProduct:BOTsinkCollector:SyslogParser:ASPDeviceID:570Version:ESM9.
5.
0andaboveNotes:RequiresBOTsinkversion3.
3orabove.
Vendor:PhishMeProduct:PhishMeTriageCollector:SyslogParser:ASPDeviceID:571Version:ESM9.
5.
1andabove.
Notes:September26,2016UpdatedDataSourcesVendor:McAfeeProduct:ePolicyOrchestrator(SiteAdvisor)Collector:SQLParser:ASPDeviceID:357Version:ESM9.
4.
1andaboveNotes:TheSQLconfigurationwasupdatedtoreporttheHostNameandHostIPfieldsbelongingtothehostrunningtheSiteAdvisorclient.
October12,2016NewDataSourcesVendor:FortscaleProduct:FortscaleUEBACollector:SyslogParser:ASPDeviceID:572Version:ESM9.
5.
0andaboveNotes:October13,2016NewDataSourceVendor:ThreatConnectProduct:ThreatConnectThreatIntelligencePlatformCollector:SyslogParser:ASPDeviceID:573Version:ESM9.
5.
0andaboveNotes:November7,2016NewDataSourcesVendor:McAfeeProduct:EndpointSecurityPlatform(ePO)Collector:SQLParser:ASPDeviceID:574Version:ESM9.
5.
0andaboveNotes:DatasourcecoupledwithePO.
Vendor:McAfeeProduct:EndpointSecurityFirewall(ePO)Collector:SQLParser:ASPDeviceID:575Version:ESM9.
5.
0andaboveNotes:DatasourcecoupledwithePO.
Vendor:McAfeeProduct:EndpointSecurityThreatPrevention(ePO)Collector:SQLParser:ASPDeviceID:576Version:ESM9.
5.
0andaboveNotes:DatasourcecoupledwithePO.
Vendor:McAfeeProduct:EndpointSecurityWebControl(ePO)Collector:SQLParser:ASPDeviceID:5777DeviceID:577Version:ESM9.
5.
0andaboveNotes:DatasourcecoupledwithePO.
November10,2016UpdatedDataSourcesVendor:OracleProduct:OracleAudit-SQLPull(ASP)Collector:SQLParser:ASPDeviceID:470Version:ESM9.
4.
2andaboveNotes:TheSQLconfigurationwasupdatedtopullUnifiedAuditeventsfromversion12cwhenmixedmodereportingisdisabledandUnifiedAuditingisspecificallyenabled.
November11,2016UpdatedDataSourcesVendor:McAfeeProduct:ePolicyOrchestrator(HIPS)Collector:SQLParser:ASPDeviceID:357Version:ESM9.
4.
1andaboveNotes:TheSQLconfigurationwasupdatedtocollecttheLocalPortandRemotePortfieldsfromtheHIPStablesinePO.
December2,2016UpdatedDataSourcesVendor:SymantecProduct:CriticalSystemProtection-SQLPull(ASP)Collector:SQLParser:ASPDeviceID:103Version:ESM9.
6.
0andaboveNotes:TheSQLconfigurationwasupdatedtocollecteventsfromnewerversionsofDataCenterSecurityincludingversion6.
7.
ThedatasourcenamewasalsoupdatedtoDataCenterSecurity(CSP)-SQLPull.
8October13,2016NewCustomTypesFieldName:Device_ConfidenceDataType:UnsignedIntegerEventField:24Indexed:YesESMVersion:9.
2.
0andaboveOctober25,2016NewCustomTypesFieldName:Total_BytesDataType:AccumulatorEventField:3Indexed:YesESMVersion:9.
2.
0andaboveSIEMCustomTypes9January8,2015ModifiedRulesVendor:McAfeeDataSource:AdvancedThreatDefenseAffectedVersions:ESM9.
4.
0andaboveParsingrules43-263051360,43-2630513700,and43-263051410wereupdatedtomaptheObjectGUIDandCorrelationIDfromthelogtotheObject_GUIDandInstance_GUIDfieldsintheESM.
Vendor:McAfeeDataSource:AdvancedThreatDefenseAffectedVersions:ESM9.
4.
1andaboveDataSourcerules525-3186621865,525-3768867276,525-3260456963,525-2089798990,525-2353735580,and525-2242864416wereaddedtotheAdvancedThreatDefenseruleset.
January12,2016NewRulesVendor:JuniperNetworksDataSource:JUNOSRouter(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1068405and1068406wereaddedtotheJUNOSRouter(ASP)ruleset.
Vendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
2andaboveParsingrules43-402000130,43-403000000,43-404000030,43-405005020,43-405005010,43-406133970,43-407009000,43-407010660,43-408100000,43-409245760,43-410002580,43-411006540,43-412050500,43-412058550,and43-412092020wereaddedtotheWindowsEventLog-WMIruleset.
January13,2016ModifiedRulesVendor:VormetricDataSource:DataSecurity(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrule1055606wasupdatedtoaddkeytoRegistry_Key,andfakedusernamestoUser_Nickname.
Alsoupdatednormilization.
NewRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
5.
0andaboveParsingrule43-413000000wascreatedtotheWindowsEventLog-WMIrulesettoparseeventsfromVascoIdentikeyauthenticationserver.
January21,2016ModifiedRulesVendor:MicrosoftDataSource:MicrosoftEventLog-WMIAffectedVersions:ESM9.
4.
0andaboveParsingrule43-294011160wasupdatedtomapthefilenametotheFilenamefieldintheESM.
Vendor:FortinetDataSource:FortiGateUTMAffectedVersions:ESM9.
4.
0andaboveParsingrules1067976and1067977wereupdatedtoincludeeditintheactionmap.
Vendor:CiscoDataSource:IOSIPS(SDEEprotocol)AffectedVersions:ESM9.
5.
1andaboveParsingrule1067511wasupdatedtomaptheCVEreferencefromthelogtotheVulnerability_ReferencesfieldintheESM.
NewRulesVendor:SSHCommunicationsSecurityDataSource:CryptoAuditorAffectedVersions:ESM9.
4.
1andaboveParsingrule1068487wasaddedtotheCryptoAuditorruleset.
SIEMParsingRules10January22,2016ModifiedRulesVendor:McAfeeDataSource:NetworkSecurityManager(ASP)AffectedVersions:ESM9.
3.
0andaboveDatasourcerulemessageswereupdatedtoreflectchangesmadebytheMcAfeeNSM.
January25,2016NewRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
2andaboveParsingrule43-265010850wasaddedtotheWindowsEventLog-WMIrulesettoparseevent1085fromtheMicrosoft-Windows-GroupPolicysource.
ModifiedRulesVendor:MicrosoftDataSource:ForefrontThreatManagementGateway/ISAServer-W3C(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrule1034545wasupdatedtoaccountforoptionalportsattheendofsourceanddestinationIP's.
AddedDeniedtoactionmapactionfromthelogtotheEventSubtypefieldintheESM.
January29,2016NewRulesVendor:CiscoDataSource:MerakiAffectedVersions:ESM9.
4.
1andaboveParsingrules1068487through1068491wereaddedtotheMerakiruleset.
January29,2016ModifiedRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
0andaboveParsingrules43-216070220,43-216070230,43-216070240,43-216070260,43-216070310,43-216070320,43-216070330,and43-216070340wereupdatedtoparseandcapturetheservicenameintoESMfieldService_NamewheretheyusedtoparseintoApplication.
Therulesalsoparsethefollowingadditionaldatafromthelogs:errorcodeintoESMfieldStatus,eventcountintoESMfieldCount,deviceactionintoESMfieldDevice_Action,andtimeforcorrectiveactionsintoESMfieldResponse_Time.
Vendor:F5NetworksDataSource:BIG-IPApplicationSecurityManager(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1056805,1056806,1036218,1036219and1036220wereupdatedtoparsethePIDfromthelogs.
Vendor:F5NetworksDataSource:BIG-IPLocalTrafficManager-LTM(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1067701,1012944,1012946,1012945,1067702,and1012948wereupdatedtoparsethePIDfromthelogsintoESMfieldPID.
Rule1012948wasalsoupdatedtocapturetheinstanceguidfromthelogsintoESMfieldinstance_GUIDforESMversions9.
4.
1andaboveVendor:FortinetDataSource:FortiGateUTM-Spacedelimited(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrule1064618wasupdatedtoparsechangesmadetotheeventinnewerversionsofFortiGateUTMNewRulesVendor:CiscoDataSource:PIX/ASA/FWSM(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1068492through1068499wereaddedtotheCiscoPIX/ASA/FWSMruleset.
Vendor:CiscoDataSource:PIX/ASA/FWSM(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1068492through1068499wereaddedtotheCiscoPIX/ASA/FWSMruleset.
Vendor:F5NetworksDataSource:BIG-IPLocalTrafficManager(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1068500through1068547wereaddedtotheBIG-IPLocalTrafficManager(ASP)ruleset.
Vendor:FortinetDataSource:FortiGateUTM-Spacedelimited(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1068548and1068549wereaddedtotheFortiGateUTMruleset.
February4,2016NewRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
1andaboveParsingruleswereaddedtotheWindowsEventLog-WMIrulesettosupportTerminalServicesandRemoteDesktopServicesevents.
ModifiedRulesVendor:MicrosoftDataSource:WindowsEventLog-WMI11AffectedVersions:ESM9.
1.
0andaboveParsingrules43-323002020,43-323003030,and43-323003040haveupdatednormalizationfromAuthentication->UserAccounttoNetworkAccess->Connection/Session.
Parsingrules43-323005300,43-323005310,43-323005320,and43-323005330haveupdatednormalizationfromAuthentication->LogintoApplication->ConfigurationStatus.
February8,2016NewRulesVendor:CiscoDataSource:PIX/ASA/FWSM-ASPAffectedVersions:ESM9.
4.
1andaboveParsingrules1068550through1068555wereaddedtothePIX/ASA/FWSM-ASPruleset.
ModifiedRulesVendor:CiscoDataSource:IOS(ASP)AffectedVersions:ESM9.
1.
0andaboveMultipleruleswereupdatedtomodifytheparsingofthedataandtimefromCiscoevents.
February10,2016ModifiedRulesVendor:CheckpointDataSource:Checkpoint-ASPAffectedVersions:ESM9.
3.
0andaboveParsingruleswereupdatedtoprioritizeanIPV4addresstocaptureintotheESMfieldNAT_Details.
NAT_Address,whenitexistsinthelogs.
Vendor:EnterasysNetworksDataSource:EnterasysNetworkAccessControl(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrule1016999wasmodifiedtoaccountfornewformatfortheStatefieldinthelogs.
NewRulesVendor:IBMDataSource:ISSSiteProtector-LEEFAffectedVersions:ESM9.
5.
0andaboveParsingrule1068601wasaddedtotheISSSiteProtector-LEEFruleset.
February11,2016ModifiedRulesVendor:SourceFireDataSource:FireSIGHTManagementConsole-eStreamerAffectedVersions:ESM9.
5.
0andaboveParsingrules1051818,1056620,1056621,1056622,and1056623wereupdatedtohandlelogswherenosourceIPispresent.
Vendor:MicrosoftDataSource:SharePoint(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1026507through1026648wereupdatedtotoenhancehostnameparsing.
NewRulesVendor:MicrosoftDataSource:SharePoint(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1068603,1068604,and1068605wereaddedtotheSharePoint(ASP)ruleset.
February16,2016ModifiedRulesVendor:MicrosoftDataSource:InternetAuthenticationService-Formatted(ASP)AffectedVersions:ESM9.
5.
2andaboveParsingrule1034046wasupdatedtomaptheNasID,NasIP,Client-IP-Address,FramedIPAddress,CalledStationID,CallingStationID,ClassData,andComputerNamefieldsinthelogtotheExternalDeviceName,DeviceIP,SourceIP,DestinationMAC,SourceMAC,DestinationIP,andDestinationHostfieldsintheESM.
TheMessagesandSignatureID'shavebeenupdatedtoreflectthepackettypeandreasoncodefromthelogs.
Vendor:MicrosoftDataSource:InternetAuthenticationService-XML(ASP)AffectedVersions:ESM9.
5.
2andaboveParsingrule1031688wasupdatedtomaptheNasID,NasIP,Client-IP-Address,FramedIPAddress,CalledStationID,CallingStationID,ClassData,andComputerNamefieldsinthelogtotheExternalDeviceName,DeviceIP,SourceIP,DestinationMAC,SourceMAC,DestinationIP,andDestinationHostfieldsintheESM.
TheMessagesandSignatureID'shavebeenupdatedtoreflectthepackettypeandreasoncodefromthelogs.
NewRulesVendor:MicrosoftDataSource:InternetAuthenticationService-DatabaseCompatibleFormatAffectedVersions:ESM9.
5.
2andaboveParsingrule1068606wasaddedtotheInternetAuthenticationService-DatabaseCompatibleFormatruleset.
February17,2016NewRulesVendor:McAfeeDataSource:NetworkSecurityManager(ASP)AffectedVersions:ESM9.
2.
0andabove1566DataSourceRuleswereaddedtotheNetworkSecurityManager(ASP)ruleset.
12February19,2016ModifiedRulesVendor:JuniperNetworksDataSource:JuniperSecureAccess/MAG(ASP)AffectedVersions:ESM8.
2.
0andaboveParsingrule1008031wasupdatedtoaccountforaspellingerrorintheSecureAccesslog,andwillmatchoneitherOccuredorOccurred.
February23,2016NewRulesVendor:McAfeeDataSource:NetworkSecurityManager(ASP)AffectedVersions:ESM9.
2.
0andaboveAddednewdatasourcerules:305-4219029,305-4528462,305-4528531,305-4528532,305-4528533,305-4528534,305-4528535,305-4528536,305-4528537,305-4528538,305-4528539,305-4528541,305-4528542,305-4528543,305-4528544,305-4528545,305-4528546,305-4528547,305-4526718,305-4527546,305-4528549,305-4528548,305-4576105,305-4206723,305-4206724,305-4206725,305-4206726,305-4206727,305-4206728,305-4206717,305-4223213,305-4528384,305-4528416,305-4528431,305-4528512,305-4211033,305-4215039,305-4219028,305-4440236,305-4440237,305-4527993,305-4528099,305-4528202,305-4528334,305-4528338,305-4528339,305-4528340,305-4528341,305-4528355,305-4528399,305-4528413,305-4567061,305-4576107,305-4677737,305-4739464,305-4739604,305-4739612,305-4739613,305-4739697,305-4739701,305-4739708,305-4739709,305-4739711,305-4739739,305-4739740,305-4739763,305-4739787,305-4739788,305-4739800,305-4739805,305-4739807,305-4739808,305-4739823,305-4739830,305-4528342,305-4528343,305-4528344,305-4528368,305-4528376,305-4528377,305-4528378,305-4528379,305-4528381,305-4528382,305-4528383,305-4528393,305-4528394,305-4528395,305-4528397,305-4528398,305-4528411,305-4528412,305-4528414,305-4528417,305-4528418,305-4528420,305-4528421,305-4528430,305-4528433,305-4528434,305-4528435,305-4528459,305-4528461,305-4571255,305-4571256,and305-4735896totheMcAfeeNetworkSecurityManager(ASP)datasourceModifiedRulesVendor:McAfeeDataSource:NetworkSecurityManager(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedthenormalizationfordatasourcerules:305-4528507,305-4528508,305-4528509,305-4528510,305-4528514,305-4528515,305-4528516,305-4528517,305-4528519,305-4528520,305-4528525,305-4528526,305-4528527,305-4528528,305-4528529,305-4528530,305-4528550,305-4528551,305-4528552,305-4528553,305-4528554,305-4528555,305-4528556,305-4528557,305-4528558,305-4528559,305-4528560,305-4528561,305-4528562,305-4528563,305-4528564,305-4528565,305-4528567,305-4528568,305-4528570,305-4528571,305-4528572,305-4528573,305-4528574,305-4528575,305-4528576,305-4528578,and305-4735171fortheMcAfeeNetworkSecurityManager(ASP)datasourceFebruary24,2016NewRulesVendor:RioReyDataSource:DDOSProtectionAffectedVersions:ESM9.
4.
0andaboveParsingrule1068607wasaddedtotheRioReyDDOSProtectionruleset.
ModifiedRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
2.
0andaboveParsingrules43-263046970,43-263047680,43-263047690,43-263047700,43-263047710,and43-263047720wereupdatedtomapServiceNameandFileNamefromthelogstoService_NameandFilenameintheESM.
InsomecasesServiceNamefromthelogswasmappedtoApplicationintheESM.
February25,2016ModifedRulesVendor:CiscoDataSource:IOS(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrule1052665wasupdatedwithaseverityvalueof10andwillparseSourceIP,SourcePort,DestinationIP,DestinationPort,andProtocolfromthelogstoSourceIP,SourcePort,DestinationIP,DestinationPortandProtocolintheESM.
February26,2016NewRulesVendor:CiscoDataSource:NX-OS(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1068608through1068610wereaddedtotheCiscoNX-OS(ASP)ruleset.
Vendor:CooperPowerSystemsDataSource:CybectecRTU(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrule1068611wasaddedtotheCooperPowerSystemsCybectecRTU(ASP)ruleset.
Vendor:PrevotyDataSource:PrevotyAffectedVersions:ESM9.
5.
1andaboveParsingrules1068612through1068615wereaddedtothePrevotyruleset.
ModifiedRulesVendor:CooperPowerSystemsDataSource:CybectecRTU(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrule1021971wasupdatedtosupporttheConsoleserviceinadditiontoLogandMaintenanceontheCooperPowerSystemsCybectecRTU(ASP)ruleset.
Vendor:McAfeeDataSource:McAfeeHostDataLossPrevention(ePO)AffectedVersions:ESM9.
2.
0andaboveParsingrules1050406,1039681,and1039682wereupdatedtoincludetheproductfamilynameofDataLossPreventionintheadsidmapandregularexpressionmatches.
13expressionmatches.
February29,2016ModifiedRulesVendor:InterSectAllianceDataSource:SnareforWindows(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrule1011177wasupdatedtomaptheSubjectAccountName,NewLogonAccountName,NewLogonLogonID,SubjectLogonID,NewLogonSecurityID,NewLogonAccountDomain,PackageName,FailureReason,andFailureInformationSatusfromthelog,totheDestinationUsername,SourceUsername,Source_Logon_ID,Destination_Logon_ID,Security_ID,Domain,Version,Message_Text,andStatusfieldsintheESM.
ThechangesweremadetoimprovereportingforeventIDs4624,4625,4675,4648,4634,4647,4649,4778,4779,4800,4801,4802,4803,5378,5632,4672and4694.
March2,2016ModifiedRulesVendor:WebsenseDataSource:Websense-CEF,KeyValuePair(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1042178,1042179,wereupdatedtoincludethefollowingadditionalcategories:'220:Security:CompromisedWebsites','221:ExtendedProtection:NewlyRegisteredWebsites','222:Collaboration-Office','223:Collaboration-Office:Office-Mail','224:Collaboration-Office:Office-Drive','225:Collaboration-Office:Office-Documents','226:Collaboration-Office:Office-Apps','227:InformationTechnology:WebAnalytics','228:InformationTechnology:WebandEmailMarketing'.
Rule1055661wasupdatedtoenhanceautolearningfortheWebsense-CEF,KeyValuePair(ASP)datasource.
Vendor:WebsenseDataSource:WebsenseEnterprise-SQLPull(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1042178,1042179,and1018095wereupdatedtoincludethefollowingadditionalcategories:'220:Security:CompromisedWebsites','221:ExtendedProtection:NewlyRegisteredWebsites','222:Collaboration-Office','223:Collaboration-Office:Office-Mail','224:Collaboration-Office:Office-Drive','225:Collaboration-Office:Office-Documents','226:Collaboration-Office:Office-Apps','227:InformationTechnology:WebAnalytics','228:InformationTechnology:WebandEmailMarketing'fortheWebsenseEnterprise-SQLPull(ASP)datasource.
Vendor:WebsenseDataSource:WebsenseEnterprise-SQLPull(ASP)AffectedVersions:ESM9.
2.
0andaboveNormalizationwasupdatedforDataSourceRules1029,1030,1031,1035,1037,1040,1041,1052,1053,1054,1057,1060,1061,1293,1296,1310,1313,1537,1553,2179658656,and2546160569fortheWebsenseEnterprise-SQLPull(ASP)datasource.
Vendor:LOGbinderDataSource:LOGbinder(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1055294,1055300,1055306,1055307,1055308,1055310,1055311,1055312,1055314,1055316,1055318,1055319,1055320,1055322,1055327,1055328,1055331,1055337,1055338,1055340,1055341,1055342,1055343,1055344,1055347,1055352,1055353,1055355,1055356,1055357,1055361,1055362,1055363,1055367,1055368,1055369,1055370,1055371,1055372,1055373,1055374,1055375,1055376,1055377,1055378,1055379,1055380,1055381,1055382,1055384,1055387,1055389,1055392,1055394,1055395,1055397,1055399,1055402,1055403,1055404,1055409,1055410,1055411,1055415,1055416,1055417,1055418,1055419,1055420,1055421,1055422,1055423,1055434,1055435,1055436,1055438,1055439,1055441,1055442,1055443,1055445,1055446,1055447,1055448,1055450,1055451,1055452,1055453,1055454,1055455,1055456,1055457,1055458,1055459,1055460,1055461,1055462,1055463,1055464,1055465,1055466,1055467,1055468,1055469,1055470,1055471,1055472,1055473,1055474,1055475,1055476,1055477,1055478,1055479,1055480,1055481,1055482,1055483,1055484,1055485,1055486,1055487,1055488,1055489,1055490,1055491,1055492,1055493,1055494,1055495,1055496,1055497,1055498,1055499,1055500,1055501,1055502,1055503,1055504,1055505,1055506,1055507,1055508,1055509,1055510,1055511,1055512,1055513,1055514,1055515,1055516,1055517,1055518,1055519,1055520,1055521,1055522,1055523,1055524,1055525,1055526,1055527,1055528,1055529,1055530,1055531,1055532,1055533,1055534,1055535,1055536,1055537,1055538,1055539,1055540,1055541,1055556,1055557,1055558,1055559,1055560,1055561,1055562,1055568,1055569,and1055570wereupdatedtomaptheStatementfromthelogtotheSQL_StatementfieldintheESM.
Parsingrules1055306through1055308,1055369through1055378,1055402through1055404,1055409,and1055415through1055421wereupdatedtomaptheTargetObjectTypefromthelogtotheObject_TypefieldintheESM.
Parsingrules1055353,1055369,1055370,1055371,1055373,1055374,1055375,1055376,1055377,1055378,1055382,1055384,1055387,1055389,1055392,1055394,1055397,1055399,1055402,1055403,1055404,1055409,1055410,1055411,1055415,1055416,1055417,1055418,1055419,1055420,1055421,1055422,1055423,1055434through1055436,1055441through1055443,1055445through1055448,and1055450wereupdatedtomaptheTargetObjectNamefromthelogtotheObjectfieldintheESM.
March3,2016ModifiedRulesVendor:FortinetDataSource:FortiManager(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1037921through1038258,and1064559through1064562wereupdatedtoimproveparsingusername.
Vendor:KasperskyDataSource:AdministrationKit-SQLPull(ASP)AffectedVersions:ESM9.
2.
1andaboveParsingrule1048681wasupdatedtotocaptureThreatNamefromthelogsintoThreatNameintheESM.
Vendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
2.
0andaboveParsingrule43-263047810wasupdatedtoparseOldAccountNameandNewAccountNamefromthelogsintoOldValueandNewValueintheESM.
March7,201614March7,2016ModifiedRulesVendor:LOGbinderDataSource:LOGbinder(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1068616through1068618,wereaddedtotheLOGbinder-LOGbinder(ASP)datasource.
March8,2016ModifiedRulesVendor:PaloAltoNetworksDataSource:PaloAltoFirewalls(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1010436and1012909wereupdatedtomaptheThreat_IDandThreat_SeverityfromthelogstotheIncident_IDandObjectfieldsrespectivelyintheESM.
March9,2016NewRulesVendor:CooperPowerSystemsDataSource:CybectecRTU(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrule1068643wasaddedtotheCybectecRTU(ASP)datasource.
ModifiedRulesVendor:CitrixDataSource:NetScaler(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1009227,1009228,1009232,1009233,1009234,1009235,1009236,1009237,1009245,1009246,1009247,1009262,1009268,1009273,1009274,1009275,1009289,1009290,1009291,1009292,1009293,1009294,1009295,1009296,1009297,1009299,1009301,1009305,1009311,1009312,1009313,1009314,1018019,1018020,1021461,1021516,1025795,1055649,1055651,1055652,1055653,1055654,1055655,1055656,1055657,1055658,1056391,1056392,1056741,1056742,1056743,1056744,1056755,1056756,1056758wereupdatedtoenhancenormalizationforCybectecRTU(ASP)datasource.
ModifiedRulesVendor:RioReyDataSource:DDOSProtectionAffectedVersions:ESM9.
4.
0andaboveParsingrule1068607wasupdatedtomapzonefromthelogsintoDestination_ZoneandSource_ZoneontheESM.
Rulemessagehasalsobeenupdatedtoshowfullcontextofevent.
March11,2016NewRulesVendor:LOGbinderDataSource:LOGbinder(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1068644through1068670wereaddedtotheLOGbinder(ASP)datasource.
ModifiedRulesVendor:LOGbinderDataSource:LOGbinder(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1054664through1054676wereupdatedtoaccountforupdatedlogformats,updatedrulesalsomapPerformedLogonType,ItemSubject,andMailboxGUIDfromthelogsintoLogon_Type,Subject,andInstance_GUIDintheESMfortheLOGbinder(ASP)datasource.
Vendor:IBMDataSource:ISSSiteProtector-SQLPullAffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1067566tomapblockedfromthelogstoActionintheESMfortheISSSiteProtector-SQLPulldatasource.
March14,2016ModifiedRulesVendor:CiscoDataSource:IOSIPS(SDEEprotocol)AffectedVersions:ESM9.
5.
1andaboveUpdatedparsingrule1067511tocapturesd:originator/cid:appName,cid:alertDetails,cid:riskRatingValue,sd:signature/@cid:type,sd:signature/@id,cid:os/@type,sd:signature/marsCategory,sd:attacker/sd:addr/@cid:locality,andsd:target/sd:addr/@cid:localityfromthelogstoapplication,Message_Text,Reputation,Threat_Category,Incident_ID,objectname,Threat_Name,Source_Zone,andDestination_ZoneintheESMfortheIOSIPS(SDEEprotocol)datasource.
March16,2016NewRulesVendor:ProofpointDataSource:MessagingSecurityGateway(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1068671through1068746wereaddedtotheMessagingSecurityGateway(ASP)datasource.
Vendor:CiscoDataSource:WirelessLanController(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1068747through1068768wereaddedtotheWirelessLanController(ASP)datasource.
15ModifiedRulesVendor:ProofpointDataSource:MessagingSecurityGateway(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrules1012996,1012997,1013001,1013002,1013004,1013005,1013007,1013008,1013010,1013012,1013013,1013015,1013016through1013018,1013020,1013021,1013022,1017001,1017003through1017008,1013006,1017009,1013014,1013009,1012956,1012957through1012994,1013003,1017010,1012998,1012999,1013000,1013011,and1017002toenhanceapplicationcapturesandimprovereportingfortheMessagingSecurityGateway(ASP)datasource.
Vendor:UNIXDataSource:Linux(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrules1036635,1022474,1046862,1064496,1042160,1022471,1047402,1022502,1022487,1042177,and1022483toenhanceparsingandreportingfortheLinux(ASP)datasource.
March17,2016ModifiedRulesVendor:UNIXDataSource:Linux(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1012094and1064621wereupdatedtomaptheDNSTypefromthelogsintotheDNS_TypefieldintheESM.
ThenormalizationwasupdatedfromSystem->MiscSystemEventtoNetworkAccess->DNS.
Vendor:MicrosoftDataSource:WindowsDNS(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1013184through1013355and1064201through1064204wereupdatedtomaptheDNSTypefromthelogsintotheDNS_TypefieldintheESM.
ThenormalizationwasupdatedfromSystem->MiscSystemEventtoNetworkAccess->DNS.
March18,2016ModifiedRulesVendor:SourceFireDataSource:FireSIGHTManagementConsole-eStreamerAffectedVersions:ESM9.
5.
0andaboveParsingrules1056622and1056623wereupdatedtomaptheDeviceID.
Namefromthelog,whenpresent,totheSensor_NamefieldintheESM.
Vendor:CooperPowerSystemsDataSource:CybectecRTU(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1021982,1021979,1068611,and1021969wereupdatedtoenhanceparsingfortheCybectecRTU(ASP)datasource.
Vendor:CiscoDataSource:IOS(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrule1009087,and1050278wereupdatedtoenhanceparsingandactionreportingfortheIOS(ASP)datasource.
Rule1050278hasbeenenhancedtoparsesourceipanddestinationipfromthelogsintoSourceIPandDestinationIPandthenormalizationhasbeenupdatedfromSuspiciousActivity->ProtocolAnomaly->TCPProtocolAnomalytoSuspiciousActivity->InvalidCommandorData.
NewRulesVendor:SourceFireDataSource:FireSIGHTManagementConsole-eStreamerAffectedVersions:ESM9.
5.
2andaboveParsingrules1068777through1068781wereaddedtotheFireSIGHTManagementConsole-eStreamerruleset.
Vendor:CooperPowerSystemsDataSource:CybectecRTU(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1068782through1068783wereaddedtotheCybectecRTU(ASP)datasource.
Vendor:CiscoDataSource:IOS(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1068784through1068791wereaddedtotheIOS(ASP)datasource.
March21,2016ModifiedRulesVendor:McAfeeDataSource:NetworkSecurityManager(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrule1051797wasupdatedtoenhanceparsing,therulewillnowcaptureURIreferrer,CLIcommand,LoginID,IP,andPortfromthelogsintoURL,Command,SourceIP,andSourcePortintheESM,fortheNetworkSecurityManager(ASP)datasource.
NewRulesVendor:McAfeeDataSource:NetworkSecurityManager(ASP)AffectedVersions:ESM9.
2.
0andaboveDataSourcerule503-3938051225wasaddedtotheNetworkSecurityManager(ASP)datasource.
16March24,2016ModifiedRulesVendor:UnixDataSource:Linux(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1006195-1006199,1006222-1006224,1006236,1006243,1006244,1011074,1011075,1011077,1012093-1012097,1012100-1012103,1016062,1027593-1027595,1037313-1037315,1037882,and1064621wereupdatedtoaccountforIPv6addresses.
Parsingrules1006195-1006199,1006224,and1006243wereupdatedtoremovesettingthemessagefromthelogtext.
TheupdatesweremadetorulesparsingBINDevents.
Vendor:McAfeeDataSource:ePolicyOrchestrator(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrule1039683wasupdatedtomapsiem_severityastheprimarycaptureandThreatSeverityasthesecondarycapturefortheSeverityfieldintheESM.
Vendor:EnforciveDataSource:Cross-PlatformAuditAffectedVersions:ESM9.
4.
1andaboveParsingrule1068804wasaddedtotheCross-PlatformAuditdatasource.
March25,2016NewRulesVendor:WurldtechDataSource:OpShieldAffectedVersions:ESM9.
4.
1andaboveParsingrules1068805through1068825wereaddedtotheOpShieldruleset.
Vendor:ReversingLabsDataSource:N1000AffectedVersions:ESM9.
5.
0andaboveParsingrules1068826through1068828and1068830wereaddedtotheN1000parsingruleset.
Vendor:UNIXDataSource:Linux(ASP)AffectedVersions:ESM9.
5.
0andaboveParsingrules1068829hasbeenaddedtotheLinuxruleset.
March29,2016ModifiedRulesVendor:CiscoDataSource:PIX/ASA/FWSM(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrules1015389,610122704,1014561through1014562,1014604,610121919,1014179,1014180,1014826,1014931,1015269,1014925,1014631,1014759,1015380,1014952,1014484,and1014086through1014090toimproveNormalizationandenhanceparsingforthePIX/ASA/FWSM(ASP)datasource.
ParsingRules1014086-1014090,1014179,1014180,1014484,1014604,1014631,1014759,1014826,1014925,1014931,1014952,1015269,1015380,and1015389wereupdatedtomapDestinationIP,SourceIP,Hostname,ShunList,Username,Interface,DestinationInterface,andDeviceTypefromthelogstoDestinationIP,SourceIP,Hostname,Objectname,SourceUsername,Interface,DestinationInterface,andExternalDeviceTypeintheESM.
Vendor:McAfeeDataSource:NetworkSecurityManager(ASP)AffectedVersions:ESM9.
2.
0andaboveEnhancedNormalizationsfordatasourcerules305-4528638,305-4739739,305-4206719,305-4206721,305-4206722,305-4206731,305-4206733,305-4206735,305-4206736,305-4206737,305-4206738,305-4206739,305-4206740,305-4206741,305-4211034,305-4211037,305-4223214,305-4223217,305-4227177,305-4235330,305-4309015,305-4333579,305-4423709,305-4440238,305-4526200,305-4527128,305-4527140,305-4527563,305-4528001,305-4528252,305-4528335,305-4528380,305-4528396,305-4528419,305-4528423,305-4528429,305-4528432,305-4528463,305-4528464,305-4528466,305-4528467,305-4528468,305-4528470,305-4528472,305-4528475,305-4528476,305-4528498,305-4528499,305-4528501,305-4528502,305-4528503,305-4528504,305-4528505,305-4528511,305-4528524,305-4528579,305-4528580,305-4528581,305-4528582,305-4528583,305-4528584,305-4528585,305-4528586,305-4528587,305-4528590,305-4528591,305-4528592,305-4528593,305-4528594,305-4528595,305-4528596,305-4528597,305-4528598,305-4528599,305-4528600,305-4528601,305-4528602,305-4528633,305-4528634,305-4528635,305-4528636,305-4528637,305-4528639,305-4528640,305-4528641,305-4528642,305-4528643,305-4528644,305-4528645,305-4528646,305-4528647,305-4528648,305-4528649,305-4528650,305-4528651,305-4528652,305-4528653,305-4554767,305-4567071,305-4571257,305-4571258,305-4571260,305-4571261,305-4571262,305-4571263,305-4571264,305-4571265,305-4571266,305-4575466,305-4576075,305-4576109,305-4576112,305-4576113,305-4576114,305-4576116,305-4576121,305-4576122,305-4677739,305-4685828,305-4735883,305-4735884,305-4735887,305-4735888,305-4735892,305-4739703,305-4739801,305-4739802,305-4739803,305-4739804,305-4747340,305-4751632,305-4206742,305-4528603,305-4528604,305-4528605,305-4528606,305-4528607,305-4528608,305-4528609,305-4528610,305-4528612,305-4528613,305-4528614,305-4528615,305-4528616,305-4528617,305-4528618,305-4528619,305-4528620,305-4528621,305-4528622,305-4528623,305-4528624,305-4528625,305-4528626,305-4528627,305-4528628,305-4528629,305-4528630,305-4528631,305-4528632,305-4528638fortheNetworkSecurityManager(ASP)datasource.
Vendor:CitrixDataSource:NetScaler(ASP)AffectedVersions:ESM8.
4.
0andaboveParsingrules1009230,1025795,1009231,1009234,1009299,1021515,and1055649wereupdatedtoremovetimecaptures.
Eventtimesarenowderivedfromthesyslogheader.
17March30,2016ModifiedRulesVendor:ArubaDataSource:ArubaOSAffectedVersions:ESM9.
2.
0andaboveUpdatedrules170-41260374,170-32025424,170-41260484,170-53040394,170-53040404,170-53040414,170-65011384,170-65011394,170-65030294,170-65030784toenhanceparsingfortheArubaOSdatasource.
March31,2016NewRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
1andaboveParsingrules43-429010000,43-429010010,and43-429010060wereaddedtotheWindowsEventLog-WMIdatasourceModifiedRulesVendor:McAfeeDataSource:EWSv5/EmailGatewayOriginalFormat-Legacy-(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrule1027962tocaptureallattachmentslistedinthelogsthelogsintoFile_PathintheESM,fortheEWSv5/EmailGatewayOriginalFormat-Legacy-(ASP)datasource.
April01,2016ModifiedRulesVendor:CiscoDataSource:NX-OS(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1018245,1018246,1018248,1018255through1018262,1018267,1018269,1018273through1018275,1018282,1018284,1018286,1018287,1018295,1018297through1018300,1018304,1018305,1018334,1018357,1018386,1018392through1018400,1018418,1018423through1018425,1018436,1018444,1018445,1018459,1018479through1018487,1018489through1018588,1018601,1018602,1018607through1018609,1018611,1018613,1018614,1018617through1018620,1018667through1018674,1018676through1018680,1018683,1018684,1018686through1018692,1018696,1018697,1018704through1018706,1018709,1018712through1018725,1019037through1019040,1026218,1026222through1026300,1067867,1067868,and1067880wereupdatedtoenhanceparsing.
TherulesinthisdatasourcehadbeenparsingInterfaceandPortfromthelogsintoObjectintheESM,theywillnowparseInterfaceandPortfromthelogsintoInterfaceintheESMfortheNX-OS(ASP)datasource.
April04,2016NewRulesVendor:Raz-LeeSecurityDataSource:iSecuritySuite(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1068831through1068856wereaddedtotheiSecuritySuite(ASP)datasource.
ModifiedRulesVendor:Raz-LeeSecurityDataSource:iSecuritySuite(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1049233through1049251wereupdatedtoenhanceparsing,theruleswerealsoupdatedtomapJob,JobType,Document,andMsgIDfromthelogsintoMainframe_Job_Name,Job_Type,Filename,andMessage_IDintheESMfortheiSecuritySuite(ASP)datasource.
April07,2016ModifiedRulesVendor:GoodTechnologyDataSource:GoodMobileControl(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1048295,1048260,1048242,and1048243wereupdatedtoenhanceparsingfortheGoodMobileControl(ASP)datasource.
April08,2016ModifiedRulesVendor:EnforciveDataSource:Cross-PlatformAuditAffectedVersions:ESM9.
4.
1andaboveUpdatedparsingrule1068804tomapEventStatus,Application,Action,DestinationProcess,andMessagefromthelogsintoEventSubtype,Application,Command,Target_Process_Name,andSignature_NameintheESM,fortheCross-PlatformAuditdatasource.
Vendor:McAfeeDataSource:AdvancedThreatDefenseAffectedVersions:ESM9.
4.
1andaboveParsingrule1056389wasupdatedtoenhanceparsingfortheAdvancedThreatDefensedatasource.
Vendor:VormetricDataSource:DataSecurity(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrule1055606wasupdatedtoenhanceparsingfortheDataSecurity(ASP)datasource.
April21,2016ModifiedRulesVendor:PaloAltoNetworksDataSource:PaloAltoFirewalls(ASP)AffectedVersions:ESM9.
1.
0andaboveUpdatedparsingrules1046703and1046704toaccountforparenthesisinrulemessagesforthePaloAltoFirewalls(ASP)datasource.
18April26,2016NewRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
1andaboveParsingrules43-359055000,43-359055010,43-359055020,43-359055040,43-359055050,43-359055060,43-359055070,43-359055080,43-359055090,43-359055100,43-359055110,43-359070500,43-359070510,43-359070520,43-359070530,43-359070540,43-359070550,43-359070560,43-359070620,and43-359075000wereaddedtotheWindowsEventLog-WMIruleset.
May3,2016ModifiedRulesVendor:McAfeeDataSource:ePolicyOrchestrator(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1039683and1050406wasupdatedtomapThreatSeverityastheprimarycaptureandsiem_severityasthesecondarycapturefortheSeverityfieldintheESM.
Also,themappingfortheSeverityvalueshasbeenenhanced.
May5,2016ModifiedRulesVendor:FortinetDataSource:FortiGateUTM-SpaceDelimited-(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1025149,1025629,1025630,1025631,1025632,1025633,1025635,1025641,1025647,1025648,1025650,1025651,1025652,1025653,1064249,1064250,1064251,1064252,1064253,1064254,1064352,and1064397wereupdatedtomapstatusastheprimarycaptureandactionasthesecondarycapturefortheEventSubtypefieldintheESM.
May5,2016ModifiedRulesVendor:FortinetDataSource:FortiGateUTM-CommaDelimited-(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1011282,1011398,1011399,1011400,1011448,1011449,1011450,and1011451wereupdatedtomapstatusastheprimarycaptureandactionasthesecondarycapturefortheEventSubtypefieldintheESM.
May9,2016ModifiedRulesVendor:FortinetDataSource:FortiGateUTM-SpaceDelimited-(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrule1025149wasupdatedtoaddtimeouttotheactionmap.
Vendor:ProofpointDataSource:MessagingSecurityGateway(ASP)AffectedVersions:ESM8.
4.
0andaboveUpdatedparsingrules1012985,1068726,616020656,1013013,1068682,1068720,611071521,1022487,1047028,1022474,1042160,1022464,611071502,1022472,and611071510toreducethepossibilityofoverlappingrulesfortheMessagingSecurityGateway(ASP)datasource.
May11,2016ModifiedRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule43-159332050fortheWindowsEventLog-WMIdatasourcetoenhanceDomainandHostnameParsing.
May16,2016ModifiedRulesVendor:SourceFireDataSource:FireSIGHTManagementConsole-eStreamerAffectedVersions:ESM9.
5.
2andaboveParsingrules1068778and1068780wereupdatedtoaccountforminorchangesinthelogformat.
TheThreat_Namefieldmappingwasremovedasitnolongermatchesthecontextoftheevent.
May18,2016ModifiedRulesVendor:TufinDataSource:SecureTrack(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrules1050338through1050382fortheSecureTrack(ASP)datasourcewithnewversionstoenhanceactionmapping,supportadditionaltimeformats,andimprovenormalizationandseverity.
May23,2016NewRules19Vendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
2andaboveParsingrules43-412040000through43-412040120,43-412040140through43-412040160,43-412040190through43-412040400,43-412040420through43-412040990,43-412041030through43-412041050,43-412041170,43-412041210through43-412042170,43-412042500through43-412042740,43-412044000through43-412045310,43-412045700through43-412046110,43-412047000through43-412047020,43-412047660,43-412048000through43-412048260,43-412048500through43-412048590,43-412049990,43-412050050,43-412050060,43-412050080through43-412050110,43-412050190through43-412050300,43-412050320,43-412050360through43-412050380,43-412050410through43-412050460,43-412050490through43-412050530,43-412052030through43-412052060,43-412052110,43-412053580,43-412055010through43-412055130,43-412055190,43-412055200through43-412055220,43-412055240through43-412055290,43-412056000through43-412056360,43-412056380through43-412056600,43-412057000,43-412057010,43-412057490,through43-412057580,43-412058050through43-412058300,43-412058320through43-412058450,43-412058470through43-412058590,43-412058620through43-412058890,43-412058900through43-412058980,43-412059000through43-412059500,43-412059600through43-412059720,43-412060040,43-412060050,43-412060150,43-412060250,43-412060260,43-412060350,43-412060370,43-412060470through43-412060530,43-412060640,43-412060880through43-412060920,43-412061000,43-412061030,43-412061070,43-412061090,43-412061100,43-412061120,43-412061140,43-412061150,43-412061180through43-412061220,43-412061250,43-412061340through43-412061480,43-412061500through43-412061540,43-412061580through43-412061660,43-412061720through43-412061750,43-412061770,43-412061790,43-412061800,43-412061820through43-412061840,43-412061870,43-412061880,43-412061900through43-412061930,43-412061960,43-412062070,43-412062080,43-412062090,43-412062120,43-412062180,43-412062240,43-412062300through43-412062450,43-412062510through43-412062610,43-412062630,43-412062660,43-412062710,43-412062720,43-412062760,43-412062770,43-412066660,43-412067080through43-412067100,43-412067670,43-412067740,43-412067820,43-412069010through43-412069150,43-412069880,43-412069890,43-412069920through43-412070020,43-412070050,43-412070060,43-412070080,43-412070100through43-412070310,43-412070410,43-412070420,43-412070440,43-412070470,43-412070480,43-412070530through43-412070560,43-412070590through43-412070690,43-412070720through43-412070990,43-412071040through43-412072120,43-412072140through43-412072170,43-412072190through43-412072380,43-412072490,43-412072500,43-412072530through43-412072550,43-412072570through43-412072640,43-412072760,43-412073050through43-412073080,43-412073100,43-412073150,43-412073160,43-412073200,43-412073270,43-412074320through43-412074350,43-412074590through43-412074690,43-412074720,43-412074770,43-412074840,43-412074850,43-412076010through43-412076090,43-412076120,43-412076220through43-412076270,43-412077010through43-412077260,43-412077510through43-412077620,43-412077700through43-412077810,43-412077830through43-412078100,43-412078800through43-412078860,43-412078900through43-412078950,43-412079010,43-412079030,43-412079040,43-412079050,43-412079070through43-412079370,43-412079430,43-412079530through43-412079650,43-412079680through43-412079700,43-412079850through43-412079900,43-412080010through43-412080120,43-412080140through43-412082270,43-412082290through43-412082440,43-412082660,43-412082760,43-412082780,43-412082800,43-412082820,43-412082840,43-412082870through43-412082890,43-412082910,43-412082940through43-412083220,43-412083230through43-412083250,43-412083300through43-412083550,43-412083670,43-412083680,43-412083700through43-412083830,43-412083900through43-412083980,43-412084010through43-412084780,43-412084800through43-412085200,43-412085490through43-412085700,43-412086010through43-412086970,43-412087010through43-412087980,43-412088010through43-412088470,43-412088500through43-412088570,43-412088740through43-412088760,43-412089010through43-412089060,43-412089190,43-412089340through43-412089370,43-412090010through43-412090040,43-412091810through43-412091900,43-412091950through43-412091970,43-412092010through43-412092480,43-412092550,43-412092590,43-412092620,43-412092700through43-412092730,43-412093010,43-412093020,43-412094010through43-412094510,43-412094530,43-412094550through43-412094570,43-412094650,43-412094660,43-412094690,43-412094870through43-412094960,43-412094980through43-412095580,43-412095600through43-412095660,43-412095720through43-412095990,43-412096010through43-412096080,43-412096100through43-412096990,43-412097090,43-412097100through43-412097710,43-412099130through43-412099150,43-412099200through43-412099550,43-412099900through43-412099920,and43-412099990wereaddedtotheWindowsEventLog-WMIruleset.
ModifiedRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
2andaboveParsingrules43-412050500,43-412058550,and43-412092020weremodifiedfortheWindowsEventLog-WMIruleset.
May24,2016ModifiedRulesVendor:CiscoDataSource:PIX/ASA/FWSM(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1015120forthePIX/ASA/FWSM(ASP)datasourcetoenhanceSourceIPparsing.
May25,2016NewRulesVendor:McAfeeDataSource:WebGateway(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1068944through1068979wereaddedtoparseAuditeventsfromtheWebGateway(ASP)datasource.
ModifiedRulesVendor:CiscoDataSource:PIX/ASA/FWSM(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1015106forthePIX/ASA/FWSM(ASP)datasourcetoenhanceSourceIPandDestinationIPparsing.
20May26,2016ModifiedRulesVendor:CiscoDataSource:PIX/ASA/FWSM(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1014962forthePIX/ASA/FWSM(ASP)datasourcemapSourceIPfromthelogintoSourceIPintheESM.
May27,2016NewRulesVendor:PaloAltoNetworksDataSource:PaloAltoFirewalls(ASP)AffectedVersions:ESM9.
4.
1andaboveAddedparsingrule1068980PaloAltoFirewalls(ASP)datasource.
ModifiedRulesVendor:PaloAltoNetworksDataSource:PaloAltoFirewalls(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrules1010432through1010433,1010436,1010441,1012903,1012906,1012909,1012912,1042252,and1042253forthePaloAltoFirewalls(ASP)datasourcetoenhanceparsing.
June2,2016NewRulesVendor:IntersetDataSource:IntersetAffectedVersions:ESM9.
5.
1andaboveAddedsupportfortheIntersetdatasource.
ModifiedRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
1andaboveParsingrules43-263051500,43-263051510,43-263051520,43-263051530,43-263051560,and43-263051570wereupdatedtomapthedirectionfromthelog,totheDirectionfieldintheESM.
Vendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
5.
0andabove301ParsingruleswereaddedtotheWindowsEventLog-WMIdatasourcetoparseeventsfromHealthServiceandOpsMgrSDKService.
June06,2016NewRulesVendor:UNIXDataSource:Linux(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrule1068985,1068986,and1068987wasaddedtotheLinux(ASP)datasource.
ModifiedRulesVendor:UNIXDataSource:Linux(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrules1024835,1024836,1037338,1047096,1006257,1009704,1012451,1033961,1033962through1033964,1054512,1050462,1037336,1037334,1037379,1037383,1046255,1047003,1047078,1047125,1009719,1054659,1055789,and1055920fortheLinux(ASP)datasourcetoenhanceparsing.
Parsingrules1047158,1037340,and1047365havebeendeprecated.
June08,2016NewRulesVendor:GlobalscapeDataSource:GlobalscapeEFTAffectedVersions:ESM9.
4.
1andaboveAddedsupportfortheGlobalscapeEFTdatasource.
Parsingrule1068988wasaddedtotheGlobalscapeEFTdatasource.
Vendor:SafeNetDataSource:HardwareSecurityModules(ASP)AffectedVersions:ESM9.
4.
1andaboveParsingrule1068989wasaddedtotheHardwareSecurityModules(ASP)datasource.
Vendor:BlueCoatDataSource:ReporterAffectedVersions:ESM9.
5.
0andaboveAddedsupportfortheReporterdatasource.
Parsingrule1068990wasaddedtotheReporterdatasource.
ModifiedRulesVendor:SafeNetDataSource:HardwareSecurityModules(ASP)AffectedVersions:ESM9.
4.
1andaboveUpdatedparsingrules1009151through1009153,1009315,1009316through1009323,1009325,and1009326fortheHardwareSecurityModules(ASP)datasource.
June13,2016ModifiedRulesVendor:CiscoDataSource:IOS(ASP)AffectedVersions:ESM9.
1.
0andaboveParsingrules1029460,1029315,and1029316fortheIOS(ASP)datasourcetoenhanceparsing.
21Vendor:CiscoDataSource:IOS(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1029315and1029315,havebeenupdatedtoparseCommandfromthelogsintoMessage_TextintheESM,theyhadpreviouslyparsedCommandintoObject.
TheparsingruleshavealsobeenupdatedtocaptureEvent-IDfromthelogsintoExternal_EventIDintheESM.
Vendor:RiverbedDataSource:SteelheadAffectedVersions:ESM9.
2.
0andaboveParsingrules1016489,1016488,and1016487wereupdatedtoappropriatelyparseusernamesfromthelogs.
Rules1016489and1016488werealsoupdatedtosetthesubtypetostopratherthanmodifyandremove.
June15,2016ModifiedRulesVendor:CyberArkDataSource:PrivilegedIdentityManagementSuite-CEF(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrule1036485wasupdatedtomapthetimestampfromthelog,tothefirsttimeandlasttimefieldsintheESM.
June17,2016ModifiedRulesVendor:CiscoDataSource:IOS(ASP)AffectedVersions:ESM9.
1.
0andaboveParsingrule1009360wasupdatedtomaptheuser,sourceIP,anddestinationportfromthelog,totheUserName,SourceIP,andDestinationPortfieldsintheESM.
June20,2016NewRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
1.
0andaboveParsingrules43-325000040,43-325000050,and43-325000080wereaddedtotheWindowsEventLog-WMIruleset.
ModifiedRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
2.
1andaboveParsingrule43-325000010wasupdatedtoparseUser,ResultSize,andEmailAddressesfromthelogsintoSource_UserID,Request_TypeandMail_IDintheESM,fortheWindowsEventLog-WMIdatasource.
June23,2016NewRulesVendor:CooperPowerSystemsDataSource:CybectecRTU(ASP)AffectedVersions:ESM9.
5.
0andaboveParsingrule616140601wasaddedtotheCybectecRTU(ASP)datasource.
ModifiedRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrules43-211006241,43-211006421,43-211006420,43-211006450,43-211006460,43-211006461,43-263047200,43-263047380,and43-263047420fortheWindowsEventLog-WMIdatasourcetoenhanceparsingofUserAccountControlandPasswordLastSettodisplayinhumanreadable-formatintheESM.
Updatednormalizationforrule43-211006450.
June28,2016ModifiedRulesVendor:SourceFireDataSource:FireSIGHTManagementConsole-eStreamerAffectedVersions:ESM9.
5.
0andaboveUpdatedparsingrules1056653through1056655,1056622,1056623,1056660,1056663,1056667,1056668,1056670through1056673,and1068777through1068780tomaptheUserNamefromtheeStreamerlogstotheUsernamefieldintheESM.
ThisupdateistoaccommodatechangesmadetotheserecordtypesineStreamerversion6.
June30,2016NewRulesVendor:VMwareDataSource:VMware(ASP)AffectedVersions:ESM9.
5.
0andaboveParsingrules1068992through1069071wereaddedtotheVMware(ASP)datasource.
ModifiedRulesVendor:VMwareDataSource:VMware(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrules1051853,1026195,1026172,1026175,1026179,1026164,1017120,1026212,1026156,1026152,1017095,1026147,and1009704fortheVMware(ASP)datasourcetoenhanceparsing.
22Vendor:UNIXDataSource:Linux(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrule1054547fortheLinux(ASP)datasourcetocaptureFilefromthelogsintoFilenameintheESM.
Parsingrule1025057wasalsoupdatedtoenhanceparsingandwillnowmapResultandProcessfromthelogsintotheReasonandProcess_NamefieldsintheESM.
July07,2016ModifiedRulesVendor:FortinetDataSource:FortiMailAffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrules1063873,1063991,and1063992through1063994fortheFortiMaildatasourcetoenhanceparsing.
Vendor:FortinetDataSource:FortiWebWebApplicationFirewall(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrule1025489fortheFortiWebWebApplicationFirewall(ASP)datasourcetoenhanceparsing.
Vendor:GlobalTechnologyAssociatesDataSource:GNATBox(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrule1012655fortheGNATBox(ASP)datasourcetoenhanceparsing.
Vendor:KEMPTechnologiesDataSource:LoadMaster(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrule1019843fortheLoadMaster(ASP)datasourcetoenhanceparsing.
Vendor:NortelNetworksDataSource:ContivityVPN(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1056264fortheContivityVPN(ASP)datasourcetoenhanceparsing.
Vendor:VMwareDataSource:VMware(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrule1026166fortheVMware(ASP)datasourcetoenhanceparsing.
Vendor:CooperPowerSystemsDataSource:YukonIEDManagerSuite(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrule1022282fortheYukonIEDManagerSuite(ASP)datasourcetoenhanceparsing.
Vendor:FreeRADIUSDataSource:FreeRADIUS(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrules1010334through1010335fortheFreeRADIUS(ASP)datasourcetoenhanceparsing.
Vendor:NortelNetworksDataSource:VPNGateway3050(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrules1011578through1011579fortheVPNGateway3050(ASP)datasourcetoenhanceparsing.
Vendor:BlueCoatDataSource:Director(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrule1047667fortheDirector(ASP)datasourcetoenhanceparsing.
July08,2016NewRulesVendor:JuniperNetworksDataSource:JUNOSRouter(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1069074through1069085wereaddedtotheJUNOSRouter(ASP)datasource.
Vendor:JuniperNetworksDataSource:JUNOS-Structured-DataFormat(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1069076through1069079and1069081through1069085wereaddedtotheJUNOS-Structured-DataFormat(ASP)datasource.
Vendor:CiscoDataSource:PIX/ASA/FWSM(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1069086and1069087wereaddedtothePIX/ASA/FWSM(ASP)datasource.
ModifiedRulesVendor:CiscoDataSource:PIX/ASA/FWSM(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrules1014132,1014133,1014138,1014172,1014173,1014219,1014253,1014254,1014258,1014304,1014307,1014308,1014366,1014380through1014386,1014431through1014433,1014435,1014437,1014498,1014534,1014599,1014603,1014604,1014688,1014703,1014710,1014711,1014713,1014827,1014828,1014891,1014914,1015100,1015101,1015102,1015104,1015105through1015111,1015126,1015161,1015448,1015450,1015673,1015678,1046702,and1047465through1047466wereupdatedtosettheprotocolfieldintheESM.
datasource.
23July11,2016ModifiedRulesVendor:ArubaDataSource:ArubaOSAffectedVersions:ESM9.
2.
0andaboveUpdatedrules170-41260054,170-41260334,170-41260354,170-41260364,170-41260384,170-41260454,170-41260474,170-41260484,170-41260524,170-41260534,170-41260544,170-41260654,170-41260664,170-41260694,170-41260714,170-41260754,170-41261094,and170-41260874toenhanceparsingfortheArubaOSdatasource.
July12,2016ModifiedRulesVendor:BarracudaNetworksDataSource:WebApplicationFirewall(ASP)AffectedVersions:ESM9.
2.
0andaboveParsingrules1036900,and1036901havebeenupdatedtoparseApplicationLayerProtocolfromthelogsintoApplication_Layer_ProtocolintheESM,fortheWebApplicationFirewall(ASP)datasource.
Thenormalizationforrule1036901hasbeenupdatedtoNetworkAccessfromSystemStatus.
July13,2016NewRulesVendor:McAfeeDataSource:HostDataLossPrevention(ePO)AffectedVersions:ESM9.
4.
1andaboveDatasourcerules359-19100through359-19137,359-19170,359-19171,359-19175through359-19179,359-19181through359-19189havebeenaddedtotheHostDataLossPrevention(ePO)datasource.
ModifiedRulesVendor:UNIXDataSource:Linux(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrules1025057and1006274toenhanceparsingandtocaptureProcessnamefromthelogsintoProcess_NameintheESM,fortheLinux(ASP)datasource.
Vendor:UNIXDataSource:Linux(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingruleswithadditionalcontents1054574,1054561,1047127,1006270,1054576,1054591,1054591,1054581,1006269,1054564,1006272,1047125,1054572,1054559,1006257,1054566,1054578,1047129,1054555,1054570,1054567,1054586,1054584,1047128,1006268,1054562,1054590,1047022,1054545,1054589,1054575,1006273,1054582,1047126,1054556,1054568,1054565,1054579,1054587,1054554,1054580,1054571,1054585,1054583,1068985,1054552,and1054573fortheLinux(ASP)datasource.
Normalizationforparsingrules1006269and1006268hasbeenchangedfromMiscApplicationEventtoAuthentication.
Normalizationforparsingrule1006272hasbeenchangedfromMiscApplicationEventtoConnection/Session.
Normalizationforrule1054589hasbeenchangedfromApplicationStatustoConnection/Session.
Theregularexpressionsforparsingrules1047127,1054566,1054562,1054582,and1054568havebeenupdatedtomatchstyleusedinotherrules.
Theparsinglogicisunchanged.
July15,2016NewRulesVendor:CitrixDataSource:NetScaler(ASP)AffectedVersions:ESM9.
4.
1andaboveParsingrules1069088and1069089wereaddedtotheNetScaler(ASP)datasource.
July19,2016NewRulesVendor:PhishMeDataSource:PhishMeIntelligenceAffectedVersions:ESM9.
5.
0andaboveParsingrule1069090wasaddedtothePhishMeIntelligencedatasource.
July22,2016NewRulesVendor:CooperPowerSystemsDataSource:CybectecRTU(ASP)AffectedVersions:ESM9.
5.
0andaboveParsingrule1069091wasaddedtotheCybectecRTU(ASP)datasource.
July25,2016UpdatedRulesVendor:McAfeeDataSource:NetworkDLPMonitor(ASP)AffectedVersions:ESM9.
4.
0andaboveTheregularexpressionsforparsingrule1035971wereupdatedtoimprovematchingandparsingwhereCEFkeyscontainedequalssignsinthevalue.
August02,2016NewRulesVendor:CiscoDataSource:PIX/ASA/FWSM(ASP)AffectedVersions:ESM9.
4.
1andaboveParsingrule1069092wasaddedtothePIX/ASA/FWSM(ASP)rulesettocoverCXmoduleevents.
Vendor:MicrosoftDataSource:WindowsEventlog-WMIAffectedVersions:ESM9.
4.
1andaboveParsingrules43-432004110and43-432005160wereaddedtotheWindowsEventlog-WMIrulesettocoverADFSAuditingevents.
24August04,2016ModifiedRulesVendor:UNIXDataSource:Linux(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedmessageparsingforrule1047301and1047312intheLinux(ASP)datasource.
NewRulesVendor:McAfeeDataSource:NetworkSecurityManager(ASP)AffectedVersions:ESM9.
2.
0andaboveDataSourcerules305-4529091,305-4529092,305-4529073,305-4529090,305-4529088,305-4529078,305-4529122,305-4529075,305-4529081,305-4529089,305-4529121,305-4529077,305-4529101,305-4529102,305-4529082,305-4529103,305-4529083,305-4529084,305-4529105,305-4529104,305-4529093,305-4529094,305-4529095,305-4529096,305-4529079,and305-4529076wereaddedtotheNSMruleset.
Vendor:MalwarebytesDataSource:BreachRemediationAffectedVersions:ESM9.
5.
0andaboveParsingrule1069093anddatasourcerules564-3017354735,564-2790178439,564-2790178440,564-3995890617,564-2150188648,564-2409809493,564-2151493679,564-2122020773,564-3384294373,and564-3094096311wereaddedtotheBreachRemediationdatasource.
August11,2016NewRulesVendor:MalwarebytesDataSource:ManagementConsoleAffectedVersions:ESM9.
5.
0andaboveParsingrule1069094wasaddedtotheManagementConsoleruleset.
August15,2016NewRulesVendor:CyberArkDataSource:PrivilegedThreatAnalyticsAffectedVersions:ESM9.
5.
0andaboveParsingrule1069095anddatasourcerules566-21,566-22,566-23,566-24,and566-25wereaddedtothePrivilegedThreatAnalyticsruleset.
August22,2016NewRulesVendor:JuniperNetworksDataSource:NetScreen/IDP(ASP)AffectedVersions:ESM9.
4.
1andaboveParsingrule1069096wasaddedtotheNetScreen/IDP(ASP)datasource.
ModifiedRulesVendor:Forcepoint/WebsenseDataSource:CloudWebSecurityAffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1056610fortheCloudWebSecuritydatasourcetoaccommodatevendorchange.
Vendor:Forcepoint/WebsenseDataSource:Websense-CEF,KeyValuePairAffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrules1055660and1055661fortheWebsense-CEF,KeyValuePairdatasourcetoaccommodatevendorchange.
Vendor:Forcepoint/WebsenseDataSource:WebsenseEnterpriseAffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrules1042178and1042179fortheWebsenseEnterprisedatasourcetoaccommodatevendorchange.
Vendor:CiscoDataSource:PIX/ASA/FWSM(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatednormalizationandenhancedparsingforrule1014593forthePIX/ASA/FWSM(ASP)datasource.
August24,2016NewRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
5.
0andaboveDataSourcerules43-433000010,43-433000020,43-433000030,43-433000040,43-433000050,43-433000060,43-433000070,43-433000080,43-433001000,43-433001010,43-433001020,43-433001030,43-433001040,43-433001050,43-433001060,43-433001950,43-433002000,43-433003000,43-433004000,43-433004010,43-433004020,43-433004030,43-433005000,43-433005010,43-433005020,43-433006000,43-433006010,43-433007000,and43-433008000wereaddedtotheWindowsEventLog-WMIrulesettoenhancePowerShelleventparsing.
September1,2016NewRulesVendor:SkyhighNetworksDataSource:CloudSecurityPlatformAffectedVersions:ESM9.
5.
1andaboveParsingrule1069097wasaddedtotheCloudSecurityPlatformdatasource.
Vendor:NiaraDataSource:NiaraAffectedVersions:ESM9.
5.
0andaboveParsingrule1069098wasaddedtotheNiararuleset.
25Vendor:TrapXDataSource:DeceptionGridAffectedVersions:ESM9.
5.
0andaboveParsingrules1069099through1069101wereaddedtotheDeceptionGridruleset.
ModifiedRulesVendor:McAfeeDataSource:NextGenerationFirewall-Stonesoft(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1036002tomatchlogswherethevendorisdisplayedasForcepoint.
September2,2016NewRulesVendor:AttivoNetworksDataSource:BOTsinkAffectedVersions:ESM9.
5.
0andaboveParsingrule1069102wasaddedtotheBOTsinkruleset.
Vendor:PhishMeDataSource:PhishMeTriageAffectedVersions:ESM9.
5.
1andaboveParsingrule1069103wasaddedtothePhishMeTriagedatasource.
ModifiedRulesVendor:UnixDataSource:Linux(ASP)AffectedVersions:ESM9.
1.
0andaboveTheregularexpressionforparsingrule1025057wasupdatedtoimprovematchingforlogsthatwerepreviouslyunparsed.
Duplicaterule1054475wasdeprecated.
Vendor:STEALTHbitsDataSource:StealthINTERCEPTAffectedVersions:ESM9.
4.
0andaboveParsingrules1056566through1056571wereupdatedtohandleanadditionaltimeformatinthelog.
September15,2016ModifiedRulesVendor:ArubaNetworksDataSource:ClearPass(ASP)AffectedVersions:ESM9.
5.
1andaboveParsingrules1046107and1046108wereupdatedtopreventthemfrommatchingCEFformattedlogs.
NewRulesVendor:ArubaNetworksDataSource:ClearPass(ASP)AffectedVersions:ESM9.
5.
1andaboveParsingrules1069104through1069107wereaddedtotheClearPass(ASP)rulesettoparsespecificCEFformattedlogs.
Vendor:ArubaNetworksDataSource:ClearPass(ASP)AffectedVersions:ESM9.
5.
1andaboveDatasourcerules465-3172836525,465-2670855048,465-3105812804,465-3112560060,465-2964857595,465-2062101402,465-2934321378,465-2755150032,465-3733475255,465-2141708101,465-3504859385,465-2566107805,465-3568337151,465-3152996588,465-2321965288,465-2205290893,465-2848710351,465-2750466264,465-2860277828,465-2124826802,465-3333703049,465-2007291433,465-2113144658,465-2108181927,465-2828310543,465-3029497000,465-3478111534,465-2345778352,465-3213445169,465-2265868490,465-2178993584,465-2481318708,465-2540546969,465-3323529474,465-2359259948,465-2886342946,465-2681363744,465-3808383751,465-3794678124,465-3284048573,465-2185649474,465-2993316923,465-3208138604,465-2202995122,465-2336894523,465-2940786301,465-2932630954,465-2802186261,465-2514278658,465-3183157313,465-3790252838,465-3503934525,465-3589338436,465-2000038971,465-2905675119,465-2041046925,465-3280552083,465-2453212473,465-3920211009,465-3781375127,465-3085941001,465-2966634593,and465-2613872364wereaddedtotheClearPass(ASP)ruleset.
September19,2016ModifiedRulesVendor:VMwareDataSource:AirWatchAffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1068362through1068367fortheAirWatchdatasourcewereupdatedtomaptheEventSourcefromthelogtotheObject_TypefieldintheESM.
Vendor:UNIXDataSource:Linux(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedtheregularexpressionforparsingrule1054512tominimizethechanceofitmatchingunintendedlogs.
Updatedrule1006259andsettheactiontofailureinsteadoferror.
Updatedrule1006255tocapturethehostnamefromtherhostfieldinthelog,whenitsvalueisahostnameinsteadofanIPaddress,andmappedittothehostnamefieldintheESM.
September23,2016ModifiedRulesVendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
0andaboveUpdatedrule43-263047690fortheWindowsEventLog-WMIdatasourcetoretaintheEventSubtypesentbyWindows.
26September26,2016ModifiedRulesVendor:McAfeeDataSource:ePolicyOrchestrator(SiteAdvisor)AffectedVersions:ESM9.
4.
1andaboveParsingrule1047503wasupdated.
Theregularexpressionmatchesforactionandseveritywereupdated.
Theactionandseveritymapswereupdatedtoincludemorevalues.
AdditionalregularexpressionswereaddedtomaptheHostName,HostIP,Rating,andContentFuncGroupfieldsfromthelogtotheHostname,SourceIP,Status,andURL_CategoryfieldsintheESM.
ThemappingforReasonTypetoCategorywasupdatedtoprependtheListTypeiftheReasonislist.
Vendor:Bit9DataSource:Bit9SecurityPlatform/ParitySuite(ASP)AffectedVersions:ESM9.
4.
0andaboveTheregularexpressionsforparsingrules1036235through1036241,1036247,1036250,1036256,1036290through1036292,1036360,1036446,1036469,and1036470wereupdatedtomatchvariousversionsofthelogs.
October5,2016ModifiedRulesVendor:McAfeeDataSource:NetworkSecurityManager-SQLPull(ASP)AffectedVersions:ESM9.
6.
0andaboveParsingrules1034529,1067507,1067508,1067509,and1067510wereupdatedtobetterhandleeventreportingforenvironmentsrunningmultiplestand-aloneinstallationsofNSM.
EventsreportedinESMforStandardNSMSignatureswillhaveanESMsignatureIDbasedonNSM'sAttackID.
EventsreportedinESMforUserDefinedNSMSignatureswillhaveanESMsignatureIDcalculatedbasedonNSM'ssignaturename.
ESMrulenameshavebeenupdatedtoincludeL7forrulesthatparseLayer7informationifitispresent.
FieldmappingswereaddedfortheAttackIDReferenceandRuleSetTypefieldsfromthelogtotheMessage_IDandEvent_ClassfieldswithinESM.
Rules1067507and1067510weremodifiedtomaptheNetBIOSActionandFTPActionfieldsfromthelogtotheRequest_TypefieldinESM.
NewRulesVendor:McAfeeDataSource:NetworkSecurityManager-SQLPull(ASP)AffectedVersions:ESM9.
6.
0andaboveParsingrule1069108wasaddedtotheNetworkSecurityManager-SQLPull(ASP)ruleset.
October12,2016NewRulesVendor:FortscaleDataSource:FortscaleUEBAAffectedVersions:ESM9.
5.
0andaboveParsingrule1069109wasaddedtotheFortscaleUEBAruleset.
ModifiedRulesVendor:CheckPointDataSource:CheckPoint(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1047557,and1047556fortheCheckPoint(ASP)datasource.
October13,2016NewRulesVendor:ThreatConnectDataSource:ThreatConnectThreatIntelligencePlatformAffectedVersions:ESM9.
5.
0andaboveParsingrule1069110wascreatedtotheThreatConnectThreatIntelligencePlatformruleset.
Vendor:MicrosoftDataSource:WindowsEventLog-WMIAffectedVersions:ESM9.
4.
1andaboveParsingrules43-432002990,43-432003070,43-432003240,43-432004030,43-432004040,43-432004100,43-432004120,43-432004130,43-432004310,43-432005000,43-432005010,43-432005100,43-432010220,43-432010230,43-432010240,43-432011020,43-432001110,43-432001430,43-432001560,43-432001570,43-432001980,43-432002000,43-432002070,43-432002090,43-432002220,43-432002240,43-432002300,43-432002450,43-432002520,43-432003250,43-432003420,43-432003640,43-432003860,43-432003890,43-432003910,43-432003960,43-432003990,43-432004220,43-432005010,43-432010000wereaddedtotheWindowsEventLog-WMIrulesettoparseeventsfromADFSandADFSAuditingEvents.
October25,2016ModifiedRulesVendor:CiscoDataSource:IOSIPS(SDEEprotocol)AffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1067511fortheIOSIPS(SDEEprotocol)datasource.
Vendor:CheckPointDataSource:CheckPoint(ASP)AffectedVersions:ESM9.
4.
0andaboveAddedBytes_Sent,Bytes_Received,andTotal_Bytestoparsingrule1047552through1047558fortheCheckPoint(ASP)datasource.
October28,2016ModifiedRulesVendor:BlueCoatDataSource:ReporterAffectedVersions:ESM9.
5.
0andaboveParsingrule1068990wasupdatedtomatchthenewCloudAccessLogformatchangedinReporterversion6.
8.
1.
63.
November2,2016ModifiedRulesVendor:JuniperNetworksDataSource:JuniperSecureAccess/MAG(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1057102fortheJuniperSecureAccess/MAG(ASP)datasource.
27Vendor:McAfeeDataSource:NextGenerationFirewall-Stonesoft(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedparsingrule1036002fortheNextGenerationFirewall-Stonesoft(ASP)datasource.
November7,2016ModifiedRulesVendor:McAfeeDataSource:ePolicyOrchestrator(ASP)AffectedVersions:ESM9.
5.
0andaboveParsingrules1039681and1039682wereupdatedtomapEndpointSecurityeventsreportedinePOtotheEndpointSecuritydatasourcesonSIEM.
November9,2016ModifiedRulesVendor:WebsenseDataSource:Websense-CEF,KeyValuePair(ASP)AffectedVersions:ESM9.
4.
0andaboveUpdatedtheparsingrules1042183and1042179fortheWebsense-CEF,KeyValuePair(ASP)datasource.
NewRulesVendor:WebsenseDataSource:Websense-CEF,KeyValuePair(ASP)AffedtedVersions:ESM9.
4.
1andaboveParsingrule1069111,wasaddedtotheWebsense-CEF,KeyValuePair(ASP)datasource.
November10,2016NewRulesVendor:OracleDataSource:OracleAudit-SQLPull(ASP)AffectedVersions:ESM9.
4.
2andaboveParsingrule1069112wasaddedtotheOracleAudit-SQLPull(ASP)rulesettoparseeventsspecificallycollectedfromtheUnifiedAuditTrail.
ModifiedRulesVendor:OracleDataSource:OracleAudit(ASP)AffectedVersions:ESM9.
2.
1andaboveParsingrule1047589wasupdatedtomapadditionalmessagesforDECLARE,BEGIN,andCONNECTwhichwereaddedinOracleUnifiedAuditing.
Vendor:OracleDataSource:OracleAudit-XMLFilePull(ASP)AffectedVersions:ESM9.
2.
1andaboveParsingrule1054452wasupdatedtomapadditionalmessagesforDECLARE,BEGIN,andCONNECTwhichwereaddedinOracleUnifiedAuditing.
November11,2016ModifiedRulesVendor:McAfeeDataSource:ePolicyOrchestrator(ASP)AffectedVersions:ESM9.
4.
1andaboveParsingrule1039683wasupdatedtomaptheLocalPortandRemotePortfromtheHIPSlog,totheSourcePortandDestinationPortfieldsintheESM.
December2,2016ModifiedRulesVendor:ThreatConnectDataSource:ThreatConnectThreatIntelligencePlatformAffectedVersions:ESM9.
5.
0andaboveParsingrule1069110wasupdatedtomaptheIPIndicatorfieldfromthelogtotheDestinationIPfieldintheESM,allowingtheindicatortobeoptionallyappendedtoanIPWatchlist.
December5,2016ModifiedRulesVendor:InfobloxDataSource:NIOSAffectedVersions:ESM9.
5.
0andaboveParsingrules1016575,1016598,1016703,1016706,1016733,1046074,1046075,1046076and1064622wereupdatedtoaccountforoptionalitemsinthelogheader,andtoparseIPv6addressesfromthelogs.
Vendor:SymantecDataSource:EndpointProtection(ASP)AffectedVersions:ESM9.
4.
1andaboveParsingrules1049062and1064406through1064409wereupdatedtomaptheparameterfieldfromthelogtotheDestination_FilenamefieldintheESM.
Vendor:FortscaleDataSource:FortscaleUEBAAffectedVersions:ESM9.
5.
0andaboveParsingrule1069109wasupdatedtomaptheAlertIDfromtheURLinthelog,totheExternal_SessionIDfieldintheESM.
December14,2016ModifiedRulesVendor:F5NetworksDataSource:BIG-IPApplicationSecurityManager-CEF(ASP)AffectedVersions:ESM9.
4.
0andaboveParsingrule1037454wasupdatedtoaccountforapotentiallyblankdeviceversionfieldintheCEFheader.
28Vendor:TrendMicroDataSource:DeepDiscovery-CEF(ASP)AffectedVersions:ESM9.
2.
0andaboveThemessagefordatasourcerule473-200120wasupdatedfromBlacklistChangetoDenyListUpdatedtoreflectthecurrenteventdescription.
Vendor:MicrosoftDataSource:InternetInformationServices-FTP(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrule1029035toaccountforIPv6addresses.
Vendor:MicrosoftDataSource:InternetInformationServices(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrules1046244and1046245toaccountforIPv6addresses.
Vendor:MicrosoftDataSource:InternetInformationServices-SMTP(ASP)AffectedVersions:ESM9.
2.
0andaboveUpdatedparsingrule1056295toaccountforIPv6addresses.
December15,2016ModifiedRulesVendor:McAfeeDataSource:McAfeeVirusScanEnterpriseAffectedVersions:ESM9.
5.
0andaboveParsingrule1051893wasupdatedtomapjustthefilename,excludingthepath,fromtheTargetFileNamefieldinthelog,totheFilenamefieldintheESM.
Vendor:McAfeeDataSource:MOVEAntiVirus(ePO)AffectedVersions:ESM9.
5.
0andaboveParsingrules1039681and1039682wereupdatedtomapthenewMOVEproductfamilynames,enablingtheeventstobelistedundertheMOVEdatasourceinsteadoftheparentePOdatasourceDecember16,2016ModifiedRulesVendor:PostfixDataSource:Postfix(ASP)AffectedVersions:ESM9.
5.
0andaboveParsingrules1012357,1012358,1012359,1012361,1012362,1012363,1012365,1012367,1012368,1012369,1012371,1012372,1012373,1012391,1012394,1012409,1012414,1012440,1012441,1012443,1012444,1012445,1016125,1016126,1016127,1016128,1016129,1017710,1017728,1033738,1033759,1033777,1033778,1033779,1033780,1033781,1033782,and1033783wereupdatedtomaptheQueueIDfromthelogtotheMail_IDfieldintheESM.
Rules1012359and1012391wereupdatedtomapthemessage-IDfromthelogtotheMessage_IDfieldinsteadoftheObjectfieldinESM.
Rules1012357,1012367,1012368,1012369,1012371,1012372,1012373,1012409,1012443,1012444,and1012445wereupdatedtoaccountforqueueidscontainingunderscoresinthelogs.
Rules1012357,1012367,1012368,1012369,1012371,1012372,1012373,and1012409wereupdatedtomaptheSMTPresponsecodefromthelogtotheResponse_CodefieldinsteadtheCommandfieldinESM.
Thecontentforparsingrule1012359wasupdatedtoaccountfordifferentqueuemanagerprocessnames.
29February3,2016UpdatedContentPacksContentPackName:WindowsAuthenticationContentPackContentPackVersion:1.
2.
0Updatesinthisversion:-Addedview,"WindowsAccountsCreated",tomonitornewlycreatedaccounts-Updatedfilteroncorrelationrule"WindowsAuthentication-AdminLogonFromNon-CompanyGeolocationonVista-2008orLater"AffectedVersion:ESM9.
5.
0andaboveUsethiscontentpackto:-MonitorMicrosoftWindowsauthenticationevents.
-IdentifyactionableintelligencewithinanetworkoncorrelatedWindows-specificevents.
February4,2016NewContentPacksContentPackName:WindowsContentPackContentPackVersion:1.
0.
0AffectedVersion:ESM9.
5.
0andaboveUsethiscontentpackto:-MonitorWindowssystemerrorsandevents.
UpdatedContentPacksContentPackName:DomainPolicyContentPackContentPackVersion:1.
3.
0Updatesinthisversion:-Addedviewtomonitorforgrouppolicyerrors.
AffectedVersion:ESM9.
5.
0andaboveUsethiscontentpackto:-TrackchangesrelatedtoMicrosoftWindowspolicyinyourenvironment.
February18,2016UpdatedContentPacksContentPackName:ReconContentPackContentPackVersion:1.
3.
0Updatesinthisversion:-Addedruletomonitorstealthscanactivity.
AffectedVersion:ESM9.
5.
0andaboveUsethiscontentpackto:-Monitorpossiblereconnaissanceevents,suchasnetworksweepsandunusualuseofspecificprotocolsfromexternalsources.
April13,2016NewContentPacksContentPackName:VormetricContentPackContentPackVersion:1.
0.
0AffectedVersion:ESM9.
5.
0andaboveUsethiscontentpackto:-MonitorVormetriceventsandprovidemetricstoinvestigatekeyeventsfromexternalsources.
April18,2016UpdatedContentPacksContentPackName:DatabaseContentPackContentPackVersion:1.
2.
0AffectedVersion:ESM9.
5.
0andaboveUpdatesinthisversion:-Updatedrulesandreports.
Usethiscontentpackto:-Monitordatabaseauthenticationevents.
-Monitorsuccessfulandpotentialdatabaseexploitactivity.
-MonitorSQLeventsbylanguagetype.
-Monitorgeneraldatabaseevents.
ContentPacks30May20,2016UpdatedContentPacksContentPackName:WindowsContentPackContentPackVersion:1.
1.
0AffectedVersion:ESM9.
5.
0andaboveUpdatesinthisversion:-Addedcorrelationrules,views,andalarmstomonitorapplicationcrashesandexternalmediausage.
Usethiscontentpackto:-MonitorfailedWindowssystemerrors.
-MonitorserviceerrorsinWindows.
-Monitorapplicationcrashesandhangs.
-Monitorsystembluescreenscausedbyapplications.
ContentPackName:ExfiltrationContentPackContentPackVersion:1.
2.
0AffectedVersion:ESM9.
5.
0Updatesinthisversion:-UpdatedallcomponentsinteractingwiththeHighValueHostswatchlist.
Usethiscontentpackto:-Monitormethodsofnetworkuploadsusedfordataexfiltration.
-Detecttamperingofconfidentialdata.
-Detectleakageofdigitalinformationviaprintingphysicalcopies.
-Analyzesuspicioususerbehaviorandtheiraccesstospecificresources,gauginghowoftentheyaccesssensitiveresourcesonthenetwork.
ContentPackName:ExfiltrationContentPackContentPackVersion:2.
1.
0AffectedVersion:ESM9.
5.
1andaboveUpdatesinthisversion:-UpdatedallcomponentsinteractingwiththeHighValueHostswatchlist.
Usethiscontentpackto:-Monitormethodsofnetworkuploadsusedfordataexfiltration.
-Detecttamperingofconfidentialdata.
-Detectleakageofdigitalinformationviaprintingphysicalcopies.
-Analyzesuspicioususerbehaviorandtheiraccesstospecificresources,gauginghowoftentheyaccesssensitiveresourcesonthenetwork.
May31,2016UpdatedContentPacksContentPackName:WindowsContentPackContentPackVersion:1.
2.
0AffectedVersion:ESM9.
5.
0andaboveUpdatesinthisversion:-AddedcorrelationrulesandviewstomonitorWindowsApplockerevents.
Usethiscontentpackto:-MonitorfailedWindowssystemerrors.
-MonitorserviceerrorsinWindows.
-Monitorapplicationcrashesandhangs.
-Monitorsystembluescreenscausedbyapplications.
-MonitorApplockerevents.
June2,2016NewContentPacksContentPackName:IntersetContentPackContentPackVersion:1.
0.
0AffectedVersion:ESM9.
5.
0andaboveUsethiscontentpackto:-MonitorIntersetUserStoryevents.
July12,2016UpdatedContentPacksContentPackName:MalwareContentPackContentPackVersion:2.
0.
0AffectedVersion:ESM9.
5.
1andaboveUsethiscontentpackto:-Trackknowninfectionsandmalware-relatedeventsandtheirvisualrepresentationintheviews.
-Alogicalworkflowforreviewingmalwareeventsincluding:whoistriggeringtheseevents,whichthreatsaretriggeringtheseevents,whichresourcesarebeingcompromisedandwhichcorporatelocationsarebeingaffected.
-Insightintotrendingmalwareinfectionsinspecificzonesorgeolocations.
Thisallowsforswiftactiontoperformsecurityassessments.
August9,2016UpdatedContentPacksContentPackName:AuthenticationContentPackContentPackVersion:1.
2.
0AffectedVersion:ESM9.
5.
0andaboveUsethiscontentpackto:-Monitorauthenticationevents.
-Viewfailedandsuccessfullogons,aswellasspecificadministratorlogons.
-Tracksystemdefaultprivilegedusernames.
September15,2016NewContentPacksContentPackName:ArubaContentPackContentPackVersion:1.
0.
0AffectedVersion:ESM9.
5.
0andaboveUsethiscontentpackto:-ThiscontentpackhelpsmonitorArubaevents.
31September27,2016UpdatedContentPacksContentPackName:WindowsContentPackContentPackVersion:1.
3.
0-AddedWindowsPowerShellActivityview.
AffectedVersion:ESM9.
5.
0andaboveUsethiscontentpackto:-MonitorWindowssystemerrorsandevents.
September30,2016NewContentPacksContentPackName:PhishMeContentPackContentPackVersion:1.
0.
0AffectedVersion:ESM9.
5.
0andaboveUsethiscontentpackto:-ThiscontentpackhelpsmonitorPhishMeevents.
November2,2016NewContentPacksContentPackName:ThreatConnectContentPackContentPackVersion:1.
0.
0AffectedVersion:ESM9.
5.
0andaboveUsethiscontentpackto:-ThiscontentpackhelpsmonitorThreatConnectevents.
32January12,2016NewRulesMicrosoftScriptingEngineCVE-2016-0002MemoryCorruptionVulnerabilityRule1068368wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistsinthewaythattheVBScriptenginerenderswhenhandlingobjectsinmemoryinInternetExplorer.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
Inaweb-basedattackscenario,anattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughInternetExplorerandthenconvinceausertoviewthewebsite.
AnattackercouldalsoembedanActiveXcontrolmarked"safeforinitialization"inanapplicationorMicrosoftOfficedocumentthathoststheIErenderingengine.
Theattackercouldalsotakeadvantageofcompromisedwebsites,andwebsitesthatacceptorhostuser-providedcontentoradvertisements.
Thesewebsitescouldcontainspeciallycraftedcontentthatcouldexploitthevulnerability.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
MicrosoftEdgeCVE-2016-0003MemoryCorruptionVulnerabilityRule1068369wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenMicrosoftEdgeimproperlyaccessesobjectsinmemory.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughMicrosoftEdge,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
TheupdateaddressesthevulnerabilitybymodifyinghowMicrosoftEdgehandlesobjectsinmemory.
MicrosoftOfficeCVE-2016-0012ASLRBypassVulnerabilityRules1068370through1068371wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AsecurityfeaturebypassexistswhenMicrosoftOfficefailstousetheAddressSpaceLayoutRandomization(ASLR)securityfeature,allowinganattackertomorereliablypredictthememoryoffsetsofspecificinstructionsinagivencallstack.
AnattackerwhosuccessfullyexploiteditcouldbypasstheAddressSpaceLayoutRandomization(ASLR)securityfeature,whichhelpsprotectusersfromabroadclassofvulnerabilities.
Thesecurityfeaturebypassbyitselfdoesnotallowarbitrarycodeexecution.
However,anattackercouldusethisASLRbypassinconjunctionwithanothervulnerability,suchasaremotecodeexecutionvulnerability,tomorereliablyrunarbitrarycodeonatargetsystem.
Inaweb-browsingscenario,successfulexploitationoftheASLRbypassrequiresausertobeloggedonandrunninganaffectedversionofMicrosoftOffice.
Theuserwouldthenneedtobrowsetoamalicioussite.
Therefore,anysystemswhereawebbrowserisusedfrequently,suchasworkstationsorterminalservers,areatthemostriskfromthisASLRbypass.
Serverscouldbeatmoreriskifadministratorsallowuserstobrowseandreademailonservers.
However,bestpracticesstronglydiscourageallowingthis.
TheupdateaddressestheASLRbypassbyhelpingtoensurethataffectedversionsofMicrosoftOfficeproperlyimplementtheASLRsecurityfeature.
MSWindowsCVE-2016-0014feclient.
dllInsecureLibraryLoadingElevationofPrivilegeRules1068372through1068376wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AnelevationofprivilegevulnerabilityexistswhenWindowsimproperlyvalidatesinputbeforeloadingdynamiclinklibrary(DLL)files.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldelevatetheirprivilegesonatargetedsystem.
Toexploitthevulnerability,anattackerwouldfirsthavetologontothetargetsystem.
Anattackercouldthenrunaspeciallycraftedapplicationthatcouldexploitthevulnerabilityandtakecontroloveranaffectedsystem.
MicrosoftDirectShowCVE-2016-0015HeapCorruptionRemoteCodeExecutionVulnerabilityRules1068377through1068378wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenDirectShowimproperlyvalidatesuserinput.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldcausearbitrarycodetoexecuteinthecontextofthecurrentuser.
Ifauserisloggedonwithadministrativeuserrights,anattackercouldtakecompletecontroloftheaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.
Foranattacktobesuccessful,thisvulnerabilityrequiresthatauseropenaspeciallycraftedfile.
Inanemailattackscenario,anattackercouldexploitthevulnerabilitybysendingaspeciallycraftedlinktotheuserandbyconvincingtheusertoopenit.
ThesecurityupdateaddressesthevulnerabilitybymodifyinghowDirectShowvalidatesuserinput.
Microsoftreceivedinformationaboutthevulnerabilitythroughcoordinatedvulnerabilitydisclosure.
Whenthissecuritybulletinwasissued,Microsofthadnotreceivedanyinformationtoindicatethatthisvulnerabilityhadbeenpubliclyusedtoattackcustomers.
MicrosoftCVE-2016-0016DLLLoadingRemoteCodeExecutionVulnerabilityRules1068379through1068387wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenWindowsimproperlyvalidatesinputbeforeloadingdynamiclinklibrary(DLL)files.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecompletecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.
Toexploitthevulnerability,anattackerwouldfirsthavetologontothetargetsystemandthenrunaspeciallycraftedapplication.
MicrosoftCVE-2016-0018DLLLoadingRemoteCodeExecutionVulnerabilityRules1068388through1068394wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenWindowsimproperlyvalidatesinputbeforeloadingdynamiclinklibrary(DLL)files.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecompletecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.
Toexploitthevulnerability,anattackerwouldfirsthavetologontothetargetsystemandthenrunaIPSRules33userswhooperatewithadministrativeuserrights.
Toexploitthevulnerability,anattackerwouldfirsthavetologontothetargetsystemandthenrunaspeciallycraftedapplication.
MicrosoftMAPICVE-2016-0020mapi32x.
dllInsecureLibraryLoadingCodeExecutionRules1068395through1068399wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AnelevationofprivilegevulnerabilityexistswhenWindowsimproperlyvalidatesinputbeforeloadingdynamiclinklibrary(DLL)files.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldelevatetheirprivilegesonatargetedsystem.
Toexploitthevulnerability,anattackerwouldfirsthavetologontothetargetsystem.
Anattackercouldthenrunaspeciallycraftedapplicationthatcouldexploitthevulnerabilityandtakecontroloveranaffectedsystem.
MicrosoftEdgeScriptingEngineCVE-2016-0024MemoryCorruptionVulnerabilityRule1068400wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistsinthewaythattheChakraJavaScriptenginerenderswhenhandlingobjectsinmemoryinMicrosoftEdge.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
Inaweb-basedattackscenario,anattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughMicrosoftEdgeandthenconvinceausertoviewthewebsite.
AnattackercouldalsoembedanActiveXcontrolmarked"safeforinitialization"inanapplicationorMicrosoftOfficedocumentthathoststheEdgerenderingengine.
Theattackercouldalsotakeadvantageofcompromisedwebsites,andwebsitesthatacceptorhostuser-providedcontentoradvertisements.
Thesewebsitescouldcontainspeciallycraftedcontentthatcouldexploitthevulnerability.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Microsoft.
NETFrameworkCVE-2016-0033StackOverflowDoSVulnerabilityRules1068401through1068404wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
Adenialofservicevulnerabilityexistswhen.
NETFrameworkimproperlyhandlescertainextensiblestylesheetlanguagetransformations(XSLT).
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldcausetheservertoconsistentlycrashwithuncatchableexceptionerrors(stackoverflow).
Toexploitthevulnerability,anattackerwouldinsertspeciallycraftedXSLTintoaclient-sideXMLwebpart,causingtheservertorecursivelycompileXSLTtransforms.
Thesecurityupdateaddressesthevulnerabilitybycorrectinghow.
NETFrameworkhandlesXSLT.
January14,2016NewRulesMicrosoftOfficeCTaskSymbolUseAfterFreeRule1068407wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AUse-After-FreevulnerabilityhasbeenreportedinMicrosoftOffice.
ThevulnerabilityisduetoimproperhandlingofaCTaskSymbolobjectinmemorywhenparsingaspeciallycraftedOfficedocumentthatloadscertainActiveXcontrols.
Remote,unauthenticatedattackerscouldexploitthisvulnerabilitybyenticingatargetusertoopenaspeciallycraftedOfficefile.
Successfulexploitationallowstheattackertoexecutearbitrarycodeinthecontextofthecurrentuser.
CoDeSysGatewayServerOpcode0x3efHeapBufferOverflowRule1068408wasaddedtotheCoDeSyscategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
Aheapbufferoverflowvulnerabilityexistsin3SSmartSoftwareCoDeSys.
Thevulnerabilityisduetoinsufficientinputvalidationwhenparsingrequestswithopcode0x3ef.
Aremoteunauthenticatedattackercouldexploitthisvulnerabilitybysendingacraftedrequestmessagetothevulnerableservice.
Successfulexploitationcouldresultincodeexecutioninthesecuritycontextoftheprocess.
Unsuccessfulattackattemptscouldcausetheaffectedservicetoterminateabnormally,causingadenialofservice(DoS)condition.
UnitronicsVisiLogicOPLCTeeCommanderChartLinkActiveXControlMemoryCorruptionRules1068409through1068410wereaddedtotheUnitronicscategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AmemorycorruptionvulnerabilityexistsinUnitronicsVisiLogicOPLC.
ThevulnerabilityisduetountrustedpointerdereferenceontheChartLinkparameteroftheTeeChart.
TeeCommanderActiveXcontrol.
Aremoteattackercouldexploitthisvulnerabilitybyenticingavulnerableusertoopenacraftedwebpage.
Successfulexploitationcouldleadtocodeexecutioninthecontextofthetargetuser.
UnitronicsUniDownloaderandVisiLogicOPLCIDEIPWorksSSL.
HTTPSMemoryCorruptionRules1068411through1068412wereaddedtotheUnitronicscategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AmemorycorruptionvulnerabilityexistsinUnitronics,VisiLogicOPLCIDEandUniDownloader.
ThevulnerabilityisduetountrustedpointerdereferenceontheSSLCertHandleparameteroftheIPWorksSSL.
HTTPSActiveXcontrol.
Aremoteattackercouldexploitthisvulnerabilitybyenticingavulnerableusertoopenacraftedwebpage.
Successfulexploitationcouldleadtocodeexecutioninthecontextofthetargetuser.
OpenSSLRSAPSSAbsentMaskGenerationParameterDenialofServiceRules1068413through1068414wereaddedtotheOpenSSLcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
Adenial-of-servicevulnerabilityexistsinOpenSSL.
ThevulnerabilityisduetoaNULLpointerdereferencewhenanOpenSSLapplicationreceivesandprocessesacraftedcertificatecontaininganinvalidRSAPSSparameter.
Aremote,unauthenticatedattackercanexploitthisvulnerabilitybysendingacraftedclientcertificatetoavulnerableserverapplicationthatrequestsit.
Successfulexploitationwillcausetheserverapplicationtocrash,resultinginadenial-of-servicecondition.
SchneiderElectricProClimaF1BookViewCopyAllMemoryCorruptionRules1068415through1068416wereaddedtotheSchneidercategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AmemorycorruptionvulnerabilityhasbeenreportedinSchneiderElectricProClima.
ThevulnerabilityisduetoaflawintheCopyAll()methodoftheF1BookViewActiveXcontrol,inwhichauser-suppliedintegerisinterpretedasamemoryaddress.
Aremote,unauthenticatedattackercouldexploitthisvulnerabilitybyenticingavictimusertobrowsetoamaliciousWebpage.
Successfulexploitationcouldleadtoarbitrarycodeexecutionundercontextoftheuser.
ManageEngineDesktopCentralFileUploadServletconnectionIdArbitraryFileUploadRule1068417wasaddedtotheManageEnginecategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AnarbitraryfileuploadvulnerabilityhasbeenreportedinManageEngineDesktopCentral.
ThevulnerabilityisduetoafailuretosanitizeconnectionIdHTTPparameterwithintheFileUploadServletservlet.
Aremote,unauthenticatedattackercouldexploitthisvulnerabilitybycraftingamaliciousfileanduploadingitontothetargetsystem.
SuccessfulexploitationwouldallowtheattackertoexecutecodeinSYSTEMcontext.
SambaLDAPServerlibldbInfiniteLoopDenialofServiceRule1068418wasaddedtotheSambacategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
Adenial-of-servicevulnerabilityhasbeenreportedintheSambaLDAPserver.
ThevulnerabilityisduetoaerrorinprocessingcertainLDAPrequestsbythelibldblibraryusedbytheSambadaemon.
Aremote,authenticatedattackercouldexploitthisvulnerabilitybysendingmaliciouspacketstocausethesambadaemontobecomeunresponsive.
Successfulexploitationcouldleadtoadenial-of-serviceandexhaustionofCPUresources.
UnitronicsVisiLogicOPLCTeeChartActiveXRemoveSeriesOutofBoundsArrayIndexingRules1068419through1068420wereaddedtotheUnitronicscategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AnoutofboundsarrayindexingvulnerabilityexistsinUnitronicsVisiLogicOPLC.
ThevulnerabilityisduetouseofusersuppliedvaluetocalculatearrayindexintheRemoveSeriesmethodoftheTeeChart.
TChartActiveXcontrol.
Aremoteattackercouldexploitthisvulnerabilitybyenticingavulnerableusertoopenacraftedwebpage.
Successfulexploitationcouldleadtocodeexecutioninthecontextofthetargetuser.
34January15,2016NewRulesMITKerberos5build_principal_vaDenialofServiceRules1068421through1068432wereaddedtotheMITcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
Adenial-of-servicevulnerabilityexistsintheMITKerberos5.
Thevulnerabilityoccursinbuild_principal_va()whenarealmnamecontainingaNULLbyteisreceived:abufferofonlyuptotheNULLbyteisallocatedwhereasthecompleteASN.
1lengthoftherealmnameisusedasthelengthofthebuffer.
Thiscanleadtomemoryaccessviolation.
Aremote,authenticatedattackercanexploitthisvulnerabilitybysendingamaliciousTGSmessagetothetargetserver.
Successfulexploitationwillcausethevulnerableprocesstoterminate.
SamsungSmartViewerSTWAxConfigMemoryCorruptionRules1068433through1068435wereaddedtotheSamsungcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AmemorycorruptionvulnerabilityexistsinSamsungSmartViewer,specifically,theDVRSetupSavemethodintheSTWAxConfigActiveXcontrol.
Thevulnerabilityisduetountrustedpointerdereference.
Aremoteattackermayexploitthisvulnerabilitybyenticingavictimtovisitamaliciouslycraftedpage.
Successfulexploitationcouldleadtoexecutionofarbitrarycodeunderthesecuritycontextoftheprocess.
ApacheActiveMQShutdownCommandDenialofServiceRule1068436wasaddedtotheApachecategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AdenialofservicevulnerabilityexistsinApacheActiveMQ.
Thevulnerabilityisduetomissingauthenticationfortheundocumentedshutdowncommand.
Aremote,unauthenticatedattackermayexploitthisvulnerabilitybysendingcraftedpacketstotheserver.
Successfulexploitationcouldleadtoadenialofservicecondition.
IBMWebSphereApplicationServerCommons-CollectionsLibraryRemoteCodeExecutionRules1068437through1068445wereaddedtotheIBMcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityhasbeenreportedinIBMWebSphereApplicationServer.
ThevulnerabilityisduedeserializationofuntrusteddatawhilehavingthevulnerableversionofApacheCommons-Collectionslibraryinthecodepath.
Aremote,unauthenticatedattackercanexploitthisvulnerabilitybysendingaspeciallycraftedserializedobject.
SuccessfulexploitationcanresultinarbitrarycodeexecutioninthesecuritycontextoftheSystemuser.
PowerDNSAuthoritativeServerDNSPacketProcessingDenialofServiceRules1068446through1068447wereaddedtothePowerDNScategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
Adenial-of-servicevulnerabilityexistsinPowerDNSAuthoritativeServer.
ThevulnerabilityisduetoaninputvalidationerrorinPowerDNSwhileprocessingcraftedDNSpackets.
Aremote,unauthenticatedattackercanexploitthisvulnerabilitybysendingaspeciallycraftedDNSpackettothetargetapplication.
Asuccessfulattackcouldleadtosystemcrashresultinginadenialofservicecondition.
KasperskyInternetSecurityHTTPSInspectionInsecureCertificateValidationRules1068448through1068450wereaddedtotheKasperskycategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AcodeexecutionvulnerabilityhasbeenreportedinKasperskyInternetSecurity.
Thisvulnerabilityisduetoimpropervalidationofatemporarycertificatename.
Specifically,KasperskydoesnotsanitizetheCommonNameattributeoftheX.
509certificatesbeforecreatingatemporarycertificate.
Aremote,unauthenticatedattackercanexploitthesevulnerabilitiesbysendingtheuseracraftedcertificatewhichisthenscannedbythevulnerableanti-virustovalidatethecertificate.
Successfulexploitationleadstoadirectorytraversalsituationandcanberesultinacodeexecution.
OracleWebLogicServerCommons-CollectionsLibraryInsecureDeserializationRules1068451through1068459wereaddedtotheOraclecategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AninsecuredeserializationvulnerabilityhasbeenreportedinOracleWebLogicServer.
ThisvulnerabilityisduetodeseralizationofuntrusteddatawhilehavingthevulnerableversionofApacheCommons-Collectionslibraryinthecodepath.
Aremote,unauthenticatedattackercanexploitthisvulnerabilitybysendingarequestmessagethatcontainsaspeciallycraftedserializedobject.
SuccessfulexploitationcanresultinarbitrarycodeexecutioninthesecuritycontextoftheSystemuser.
JenkinsCIServerCommons-CollectionsLibraryInsecureDeserializationRules1068460through1068468wereaddedtotheJenkinscategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AninsecuredeserializationvulnerabilityhasbeenreportedinJenkinsCIServer.
ThisvulnerabilityisduetodeserializationofuntrusteddatawhilehavingthevulnerableversionofApacheCommons-Collectionslibraryinthecodepath.
Aremote,unauthenticatedattackercanexploitthisvulnerabilitybysendingaspeciallycraftedserializedobject.
SuccessfulexploitationcanresultinarbitrarycodeexecutioninthesecuritycontextoftheSystemuser.
AutodeskDesignReviewGIFGlobalColorTableDataSubBlockBufferOverflowRules1068469through1068472wereaddedtotheAutodeskcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AheapbufferoverflowvulnerabilityexistsinAutodeskDesignReview.
ThevulnerabilityisduetoanerrorwhenprocessingGlobalColorTableflagandDataSubBlocksizefieldsinsideaGIFfile.
Inordertoexploitthevulnerability,theremoteattackerneedstoenticethetargetusertoopenamaliciousfileusingthevulnerableapplication.
Successfulexploitationwouldallowtheattackertoexecutearbitrarycode.
SchneiderElectricProClimaF1BookViewAttachToSSMemoryCorruptionRules1068473through1068474wereaddedtotheSchneidercategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AmemorycorruptionvulnerabilityhasbeenreportedinSchneiderElectricProClima.
ThevulnerabilityisduetoaflawintheAttachToSS()methodoftheF1BookViewActiveXcontrol,inwhichauser-suppliedintegerisinterpretedasamemoryaddress.
Aremote,unauthenticatedattackercouldexploitthisvulnerabilitybyenticingavictimtobrowsetoamaliciouswebpage.
Successfulexploitationcouldleadtoarbitrarycodeexecutionundercontextoftheuser.
ApacheSubversionsvnProtocolParserIntegerOverflowRules1068475through1068478wereaddedtotheApachecategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AnintegeroverflowvulnerabilityexistsinApacheSubversion.
Thevulnerabilityisduetoaflawinthesvn://protocolparser.
Aremote,unauthenticatedattackercouldexploitthisvulnerabilitybysendingcraftedrequeststhatwillbeprocessedbythesvnservesvn://protocol.
Successfulexploitationcouldallowtheattackertocauseadenial-of-serviceorexecutearbitrarycodeundercontextofthetargetedprocess.
ISCBINDdb.
cAssertionFailureDenialofServiceRules1068479through1068486wereaddedtotheISCcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
Adenial-of-servicevulnerabilityhasbeenreportedinBIND.
Thevulnerabilityisduetoimproperparsingofincomingresponses,allowingmalformedrecordstobeacceptedbyBINDwhentheyshouldnotbeaccepted.
Aremote,unauthenticatedattackercouldexploitthisvulnerabilityagainstDNSserversthatperformrecursivequeriesbycraftingresponseswithanimproperclassattribute.
Successfulexploitationcouldleadtodenial-of-service.
February9,2016NewRulesMicrosoftOfficeCVE-2016-0022MemoryCorruptionVulnerabilityRules1068556through1068557wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistsinMicrosoftOfficesoftwarewhentheOfficesoftwarefailstoproperlyhandleobjectsinmemory.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldrunarbitrarycodeinthecontextofthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackercouldtakecontroloftheaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.
ExploitationofthevulnerabilityrequiresthatauseropenaspeciallycraftedfilewithanaffectedversionofMicrosoftOfficesoftware.
Inanemailattackscenarioanattackercouldexploitthevulnerabilitybysendingthespeciallycraftedfiletotheuserandconvincingtheuserto35software.
Inanemailattackscenarioanattackercouldexploitthevulnerabilitybysendingthespeciallycraftedfiletotheuserandconvincingtheusertoopenthefile.
Inaweb-basedattackscenarioanattackercouldhostawebsite(orleverageacompromisedwebsitethatacceptsorhostsuser-providedcontent)thatcontainsaspeciallycraftedfilethatisdesignedtoexploitthevulnerability.
Anattackerwouldhavenowaytoforceuserstovisitthewebsite.
Instead,anattackerwouldhavetoconvinceuserstoclickalink,typicallybywayofanenticementinanemailorInstantMessengermessage,andthenconvincethemtoopenthespeciallycraftedfile.
Microsoft.
NETCVE-2016-0033StackOverflowDoSVulnerabilityRules1068558through1068559wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AsecurityfeaturebypassvulnerabilityforMicrosoftEdgeexistsasaresultofhowexceptionsarehandledwhendispatchingcertainwindowmessages,allowinganattackertoprobethelayoutoftheaddressspaceandtherebybypassingAddressSpaceLayoutRandomization(ASLR).
Byitself,theASLRbypassvulnerabilitydoesnotallowarbitrarycodeexecution.
However,anattackercouldusetheASLRbypassvulnerabilityinconjunctionwithanothervulnerability,suchasaremotecodeexecutionvulnerability,torunarbitrarycodeonatargetsystem.
SuccessfulexploitationoftheASLRbypassvulnerabilityrequiresausertobeloggedonandrunninganaffectedversionofMicrosoftEdge.
Theuserwouldthenneedtobrowsetoamalicioussite.
WindowsCVE-2016-0041DLLLoadingRemoteCodeExecutionVulnerabilityRules1068560through1068573wereaddedtotheWindowscategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenWindowsimproperlyvalidatesinputbeforeloadingdynamiclinklibrary(DLL)files.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecompletecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.
Toexploitthevulnerability,anattackerwouldfirsthavetologontothetargetsystemandthenrunaspeciallycraftedapplication.
MSWindowsCVE-2016-0042DLLLoadingRemoteCodeExecutionVulnerabilityRules1068574through1068589wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenWindowsimproperlyvalidatesinputbeforeloadingdynamiclinklibrary(DLL)files.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.
Toexploitthevulnerability,anattackerwouldfirsthavetologontothetargetsystemandthenrunaspeciallycraftedapplication.
MicrosoftOfficeCVE-2016-0053MemoryCorruptionVulnerabilityRules1068590through1068591wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistsinMicrosoftOfficesoftwarewhentheOfficesoftwarefailstoproperlyhandleobjectsinmemory.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldrunarbitrarycodeinthecontextofthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackercouldtakecontroloftheaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.
ExploitationofthevulnerabilityrequiresthatauseropenaspeciallycraftedfilewithanaffectedversionofMicrosoftOfficesoftware.
Inanemailattackscenarioanattackercouldexploitthevulnerabilitybysendingthespeciallycraftedfiletotheuserandconvincingtheusertoopenthefile.
Inaweb-basedattackscenarioanattackercouldhostawebsite(orleverageacompromisedwebsitethatacceptsorhostsuser-providedcontent)thatcontainsaspeciallycraftedfilethatisdesignedtoexploitthevulnerability.
Anattackerwouldhavenowaytoforceuserstovisitthewebsite.
Instead,anattackerwouldhavetoconvinceuserstoclickalink,typicallybywayofanenticementinanemailorInstantMessengermessage,andthenconvincethemtoopenthespeciallycraftedfile.
IECVE-2016-0060MemoryCorruptionVulnerabilityRule1068592wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0061MemoryCorruptionVulnerabilityRules1068593through1068594wereaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0063MemoryCorruptionVulnerabilityRules1068595through1068598wereaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
36IECVE-2016-0067MemoryCorruptionVulnerabilityRule1068599wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0068ElevationofPrivilegeRule1068600wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AnelevationofprivilegevulnerabilityexistswhenInternetExplorerdoesnotproperlyenforcecross-domainpolicies,whichcouldallowanattackertoaccessinformationfromonedomainandinjectitintoanotherdomain.
Inaweb-basedattackscenario,anattackercouldhostawebsitethatisusedtoattempttoexploitthevulnerability.
Inaddition,compromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentcouldcontainspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction.
Forexample,anattackercouldtrickusersintoclickingalinkthattakesthemtotheattacker'ssite.
AnattackerwhosuccessfullyexploitedthevulnerabilitycouldelevateprivilegesinaffectedversionsofInternetExplorer.
Thevulnerabilityalonedonotallowarbitrarycodetoberun.
However,thevulnerabilitycouldbeusedinconjunctionwithanothervulnerability(forexample,aremotecodeexecutionvulnerability)thatcouldtakeadvantageoftheelevatedprivilegeswhenrunningarbitrarycode.
Forexample,anattackercouldexploitanothervulnerabilitytorunarbitrarycodethroughInternetExplorer,butduetothecontextinwhichprocessesarelaunchedbyInternetExplorer,thecodemightberestrictedtorunatalowintegritylevel(verylimitedpermissions).
However,anattackercould,inturn,exploitthisvulnerabilitytocausethearbitrarycodetorunatamediumintegritylevel(permissionsofthecurrentuser).
March8,2016NewRulesMicrosoftOfficeCVE-2016-0021MemoryCorruptionVulnerability-ExcelRules1068619through1068622wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistsinMicrosoftOfficesoftwarewhentheOfficesoftwarefailstoproperlyhandleobjectsinmemory.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldrunarbitrarycodeinthecontextofthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackercouldtakecontroloftheaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.
ExploitationofthevulnerabilityrequiresthatauseropenaspeciallycraftedfilewithanaffectedversionofMicrosoftOfficesoftware.
NotethatthePreviewPaneisnotanattackvectorforthisvulnerability.
Inanemailattackscenarioanattackercouldexploitthevulnerabilitybysendingthespeciallycraftedfiletotheuserandconvincingtheusertoopenthefile.
Inaweb-basedattackscenarioanattackercouldhostawebsite(orleverageacompromisedwebsitethatacceptsorhostsuser-providedcontent)thatcontainsaspeciallycraftedfilethatisdesignedtoexploitthevulnerability.
Anattackerwouldhavenowaytoforceuserstovisitthewebsite.
Instead,anattackerwouldhavetoconvinceuserstoclickalink,typicallybywayofanenticementinanemailorInstantMessengermessage,andthenconvincethemtoopenthespeciallycraftedfile.
WindowsMediaPlayerCVE-2016-0098ParsingRemoteCodeExecutionVulnerabilityRule1068623wasaddedtotheWindowscategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AvulnerabilityexistsinMicrosoftWindows.
Thevulnerabilitycouldallowremotecodeexecutionifauseropensspeciallycraftedmediacontentthatishostedonawebsite.
Anattackercouldhostmediacontentonawebsiteorsendanattachmentinanemailandthenconvinceusertoopenit.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystemremotely.
Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.
MicrosoftBrowserCVE-2016-0102MemoryCorruptionVulnerabilityRule1068624wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenMicrosoftEdgeimproperlyaccessesobjectsinmemory.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughMicrosoftEdge,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0104MemoryCorruptionVulnerabilityRule1068625wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
37MicrosoftBrowserCVE-2016-0105MemoryCorruptionVulnerabilityRule1068626wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0106MemoryCorruptionVulnerabilityRule1068627wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0107MemoryCorruptionVulnerabilityRule1068628wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0108MemoryCorruptionVulnerabilityRule1068629wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
MicrosoftBrowserCVE-2016-0109MemoryCorruptionVulnerabilityRule1068630wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
MicrosoftBrowserCVE-2016-0110MemoryCorruptionVulnerabilityRule1068631wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
38MicrosoftBrowserCVE-2016-0111MemoryCorruptionVulnerabilityRule1068632wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0112MemoryCorruptionVulnerabilityRule1068633wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0113MemoryCorruptionVulnerabilityRule1068634wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0114MemoryCorruptionVulnerabilityRule1068635wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
MicrosoftEdgeCVE-2016-0123MemoryCorruptionVulnerabilityRule1068636wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenMicrosoftEdgeimproperlyaccessesobjectsinmemory.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughMicrosoftEdge,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
MicrosoftEdgeCVE-2016-0124MemoryCorruptionVulnerabilityRule1068637wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenMicrosoftEdgeimproperlyaccessesobjectsinmemory.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughMicrosoftEdge,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
AdobeReaderCVE-2016-1008updaternotifications.
dllInsecureLibraryLoadingCodeExecution-WebDAVRules1068638through1068642wereaddedtotheAdobecategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
Thisvulnerabilityisaninstanceofacodeinjectionvulnerability,inparticularwhenanapplicationdynamicallyloadsadynamic-linklibrarywithoutspecifyingafullyqualifiedpathname,WindowsattemptstolocatetheDLLbysearchingawell-definedsetofdirectories,oneoftheelementsofthatisthecurrentdocumentdirectory.
Inthiscase,thecurrentSMBsharedirectorymaycontainamaliciousDLL,thathasspecialmeaningforAcrobat.
March17,2016NewRulesSSLv2SessionNegotiation-ServerHelloRules1068769through1068777wereaddedtotheSSLv2categoryintheBASEruleset.
ThedefaultusagewassettoAlert.
DROWNisaserious39Rules1068769through1068777wereaddedtotheSSLv2categoryintheBASEruleset.
ThedefaultusagewassettoAlert.
DROWNisaseriousvulnerabilitythataffectsHTTPSandotherservicesthatrelyonSSLandTLS,someoftheessentialcryptographicprotocolsforInternetsecurity.
TheseprotocolsalloweveryoneontheInternettobrowsetheweb,useemail,shoponline,andsendinstantmessageswithoutthird-partiesbeingabletoreadthecommunication.
DROWNallowsattackerstobreaktheencryptionandreadorstealsensitivecommunications,includingpasswords,creditcardnumbers,tradesecrets,orfinancialdata.
Attackerscangainanycommunicationbetweenusersandtheserver.
Thistypicallyincludes,butisnotlimitedto,usernamesandpasswords,creditcardnumbers,emails,instantmessages,andsensitivedocuments.
Undersomecommonscenarios,anattackercanalsoimpersonateasecurewebsiteandinterceptorchangethecontenttheusersees.
March23,2016NewRulesMSWindowsOLECVE-2016-0092RemoteCodeExecutionCFBRules1068792through1068797wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AcodeexecutionvulnerabilityexistsinMicrosoftWindowsOLE.
Thevulnerabilityisduetoimpropervalidationofuserinput.
Aremoteattackercanexploitthisvulnerabilitybyenticingthetargetusertoopenaspeciallycraftedwebpage,anemailmessage,oradocumentcontaininganOLEobject.
Successfulexploitationcouldleadtoarbitrarycodeexecutioninthesecuritycontextofthetargetuser.
MSWindowsOLECVE-2016-0091RemoteCodeExecutionCFBRules1068798through1068803wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AcodeexecutionvulnerabilityexistsinMicrosoftWindowsOLE.
Thevulnerabilityisduetoimpropervalidationofuserinput.
Aremoteattackercanexploitthisvulnerabilitybyenticingthetargetusertoopenaspeciallycraftedwebpage,anemailmessage,oradocumentcontaininganOLEobject.
Successfulexploitationcouldleadtoarbitrarycodeexecutioninthesecuritycontextofthetargetuser.
April13,2016NewRulesMicrosoftOfficeCVE-2016-0127MemoryCorruptionVulnerabilityRule1068857wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistsinMicrosoftOfficesoftwarewhentheOfficesoftwarefailstoproperlyhandleobjectsinmemory.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldrunarbitrarycodeinthecontextofthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackercouldtakecontroloftheaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.
ExploitationofthevulnerabilityrequiresthatauseropenaspeciallycraftedfilewithanaffectedversionofMicrosoftOfficesoftware.
NotethatwheretheseverityisindicatedasCriticalintheAffectedSoftwareandVulnerabilitySeverityRatingstable,thePreviewPaneisanattackvectorforCVE-2016-0127.
Inanemailattackscenarioanattackercouldexploitthevulnerabilitybysendingthespeciallycraftedfiletotheuserandconvincingtheusertoopenthefile.
Inaweb-basedattackscenarioanattackercouldhostawebsite(orleverageacompromisedwebsitethatacceptsorhostsuser-providedcontent)thatcontainsaspeciallycraftedfilethatisdesignedtoexploitthevulnerability.
Anattackerwouldhavenowaytoforceuserstovisitthewebsite.
Instead,anattackerwouldhavetoconvinceuserstoclickalink,typicallybywayofanenticementinanemailorInstantMessengermessage,andthenconvincethemtoopenthespeciallycraftedfile.
MicrosoftMSXML3.
0CVE-2016-0147RemoteCodeExecutionVulnerabilityRules1068858through1068859wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhentheMicrosoftXMLCoreServices(MSXML)parserprocessesuserinput.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldrunmaliciouscoderemotelytotakecontroloftheuser'ssystem.
Toexploitthevulnerability,anattackercouldhostaspecially-craftedwebsitethatisdesignedtoinvokeMSXMLthroughInternetExplorer.
However,anattackerwouldhavenowaytoforceausertovisitsuchawebsite.
Instead,anattackerwouldtypicallyhavetoconvinceausertoeitherclickalinkinanemailmessageoralinkinanInstantMessengerrequestthatwouldthentaketheusertothewebsite.
Whentheuser'sbrowserparsestheXMLcontent,anattackercouldrunmaliciouscoderemotelytotakecontroloftheuser'ssystem.
Microsoft.
NETFrameworkCVE-2016-0148RemoteCodeExecutionVulnerabilityasciiRules1068860through1068861wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
Aremotecodeexecutionvulnerabilityexistswhenthe.
NETFrameworkfailstoproperlyvalidateinputbeforeloadinglibraries.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.
Toexploitthevulnerability,anattackerwouldfirstneedtohaveaccesstothelocalsystemandhavetheabilitytoexecuteamaliciousapplication.
MicrosoftBrowserCVE-2016-0154MemoryCorruptionVulnerabilityRules1068862through1068863wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
MicrosoftEdgeCVE-2016-0155MemoryCorruptionVulnerabilityRule1068864wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenMicrosoftEdgeimproperlyaccessesobjectsinmemory.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughMicrosoftEdge,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
MicrosoftEdgeCVE-2016-0156MemoryCorruptionVulnerabilityRule1068865wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenMicrosoftEdgeimproperlyaccessesobjectsinmemory.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughMicrosoftEdge,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
40orcreatenewaccountswithfulluserrights.
MicrosoftEdgeCVE-2016-0157MemoryCorruptionVulnerabilityRule1068866wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenMicrosoftEdgeimproperlyaccessesobjectsinmemory.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughMicrosoftEdge,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
MicrosoftEdgeCVE-2016-0158MemoryCorruptionVulnerabilityRule1068867wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AnelevationofprivilegevulnerabilityexistswhenMicrosoftEdgedoesnotproperlyenforcecross-domainpolicies,whichcouldallowanattackertoaccessinformationfromonedomainandinjectitintoanotherdomain.
Inaweb-basedattackscenario,anattackercouldhostawebsiteinanattempttoexploitthevulnerability.
Inaddition,compromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentcouldcontainspeciallycraftedcontentthatcouldexploitthevulnerability.
However,inallcasesanattackercouldnotforceausertoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceausertotakeaction.
Forexample,anattackercouldtrickauserintoclickingalinkthattakestheusertotheattacker'ssite.
AnattackerwhosuccessfullyexploitedthisvulnerabilitycouldelevateprivilegesinaffectedversionsofMicrosoftEdge.
Thevulnerabilitybyitselfdoesnotallowarbitrarycodetoberun.
However,thevulnerabilitycouldbeusedinconjunctionwithanothervulnerability(forexample,aremotecodeexecutionvulnerability)thatcouldtakeadvantageoftheelevatedprivilegeswhenrunningarbitrarycode.
Forexample,anattackercouldexploitanothervulnerabilitytorunarbitrarycodethroughMicrosoftEdge,butduetothecontextinwhichprocessesarelaunchedbyMicrosoftEdge,thecodemightberestrictedtorunatalowintegritylevel(verylimitedpermissions).
However,anattackercould,inturn,exploitthisvulnerabilitytocausethearbitrarycodetorunatamediumintegritylevel(thepermissionsofthecurrentuser).
IECVE-2016-0159MemoryCorruptionVulnerabilityRule1068868wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0160DLLLoadingCodeExecution-WebDAVRules1068869through1068873wereaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
MicrosoftEdgeCVE-2016-0161ElevationofPrivilegeVulnerabilityRule1068874wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AnelevationofprivilegevulnerabilityexistswhenMicrosoftEdgedoesnotproperlyvalidateJavaScriptunderspecificconditions,potentiallyallowingascripttoberunwithelevatedprivileges.
Inaweb-basedattackscenario,anattackercouldhostawebsiteinanattempttoexploitthisvulnerability.
Inaddition,compromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentcouldcontainspeciallycraftedcontentthatcouldexploitthevulnerability.
However,inallcasesanattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction.
Forexample,anattackercouldtrickusersintoclickingalinkthattakesthemtotheattacker'ssite.
AnattackerwhosuccessfullyexploitedthevulnerabilitycouldelevateprivilegesinaffectedversionsofMicrosoftEdge.
Anattackercouldthenleveragetheseprivilegeswithanothervulnerabilitytorunarbitrarycodewithmediumintegritylevelprivileges(permissionsofthecurrentuser).
Thisvulnerabilitybyitselfdoesnotallowarbitrarycodetoberun.
However,thisvulnerabilitycouldbeusedinconjunctionwithanothervulnerability(forexample,aremotecodeexecutionvulnerability)thatcouldtakeadvantageoftheelevatedprivilegeswhenrunningarbitrarycode.
Forexample,anattackercouldexploitanothervulnerabilitytorunarbitrarycodethroughMicrosoftEdge,butbecauseofthecontextinwhichprocessesarelaunchedbyInternetExplorer,thecodemightberestrictedtorunatalowintegritylevel(verylimitedpermissions).
However,anattackercould,inturn,exploitthisvulnerabilitytocausethearbitrarycodetorunatamediumintegritylevel(permissionsofthecurrentuser).
IECVE-2016-0164MemoryCorruptionVulnerabilityRule1068875wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thisvulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthisvulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsitesandwebsitesthatacceptorhostuser-providedcontentoradvertisementsbyaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybywayofenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
AdobeFlasholeacc.
dllInsecureLibraryLoadingCodeExecution-WebDAVRules1068876through1068935wereaddedtotheAdobecategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AdobeFlashloadsexternalcodeviaDynamicLinkLibraries(DLLs).
MaliciouscodecanbeplantedusingaDLLwiththesamenameastheoneFlashnormallyuses.
Flashwilllookinthethroughasetofpredefineddirectories,oneofwhichistheinstallationdirectory.
May20,2016NewRulesMicrosoftGraphicsComponentCVE-2016-0168InformationDisclosureVulnerabilityANSIRules1068936through1068937wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert,Block,Reset.
AninformationdisclosurevulnerabilityexistswhentheWindowsGDIcomponentimproperlydisclosescontentsofitsmemory.
Anattackerwhosuccessfully41exploitedthevulnerabilitycouldobtaininformationtofurthercompromisetheuser'ssystem.
Therearemultiplewaysanattackercouldexploitthevulnerability,suchasbyconvincingausertoopenaspeciallycrafteddocument,orbyconvincingausertovisitanuntrustedwebpage.
MicrosoftScriptingEngineCVE-2016-0187MemoryCorruptionVulnerabilityRule1068938wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistsinthewaythattheVBScriptenginerenderswhenhandlingobjectsinmemoryinInternetExplorer.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
Inaweb-basedattackscenario,anattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughInternetExplorerandthenconvinceausertoviewthewebsite.
AnattackercouldalsoembedanActiveXcontrolmarked"safeforinitialization"inanapplicationorMicrosoftOfficedocumentthathoststheIErenderingengine.
Theattackercouldalsotakeadvantageofcompromisedwebsites,andwebsitesthatacceptorhostuser-providedcontentoradvertisements.
Thesewebsitescouldcontainspeciallycraftedcontentthatcouldexploitthevulnerability.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
IECVE-2016-0189ScriptingEngineMemoryCorruptionVulnerabilityRule1068939wasaddedtotheInternet_ExplorercategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistsinthewaythattheVBScriptenginerenderswhenhandlingobjectsinmemoryinInternetExplorer.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
Inaweb-basedattackscenario,anattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughInternetExplorerandthenconvinceausertoviewthewebsite.
AnattackercouldalsoembedanActiveXcontrolmarked"safeforinitialization"inanapplicationorMicrosoftOfficedocumentthathoststheIErenderingengine.
Theattackercouldalsotakeadvantageofcompromisedwebsites,andwebsitesthatacceptorhostuser-providedcontentoradvertisements.
Thesewebsitescouldcontainspeciallycraftedcontentthatcouldexploitthevulnerability.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
MicrosoftEdgeCVE-2016-0191MemoryCorruptionVulnerabilityRule1068940wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistsinthewaythattheChakraJavaScriptenginerenderswhenhandlingobjectsinmemoryinMicrosoftEdge.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Inaweb-basedattackscenario,anattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughMicrosoftEdgeandthenconvinceausertoviewthewebsite.
AnattackercouldalsoembedanActiveXcontrolmarked"safeforinitialization"inanapplicationorMicrosoftOfficedocumentthathoststheEdgerenderingengine.
Theattackercouldalsotakeadvantageofcompromisedwebsites,andwebsitesthatacceptorhostuser-providedcontentoradvertisements.
Thesewebsitescouldcontainspeciallycraftedcontentthatcouldexploitthevulnerability.
MicrosoftBrowserCVE-2016-0192MemoryCorruptionVulnerabilityRules1068941through1068942wereaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistswhenInternetExplorerimproperlyaccessesobjectsinmemory.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
AnattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughInternetExplorer,andthenconvinceausertoviewthewebsite.
Theattackercouldalsotakeadvantageofcompromisedwebsites,orwebsitesthatacceptorhostuser-generatedcontentoradvertisements,byaddingspeciallycraftedcontentthatcouldexploitthevulnerability.
Inallcases,however,anattackerwouldhavenowaytoforceuserstoviewtheattacker-controlledcontent.
Instead,anattackerwouldhavetoconvinceuserstotakeaction,typicallybyanenticementinanemailorInstantMessengermessage,orbygettingthemtoopenanattachmentsentthroughemail.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,theattackercouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
MicrosoftScriptingEngineCVE-2016-0193MemoryCorruptionVulnerabilityRule1068943wasaddedtotheMicrosoftcategoryintheBASEruleset.
ThedefaultusagewassettoAlert.
AremotecodeexecutionvulnerabilityexistsinthewaythattheChakraJavaScriptenginerenderswhenhandlingobjectsinmemoryinMicrosoftEdge.
Thevulnerabilitycouldcorruptmemoryinsuchawaythatanattackercouldexecutearbitrarycodeinthecontextofthecurrentuser.
Anattackerwhosuccessfullyexploitedthevulnerabilitycouldgainthesameuserrightsasthecurrentuser.
Ifthecurrentuserisloggedonwithadministrativeuserrights,anattackerwhosuccessfullyexploitedthevulnerabilitycouldtakecontrolofanaffectedsystem.
Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.
Inaweb-basedattackscenario,anattackercouldhostaspeciallycraftedwebsitethatisdesignedtoexploitthevulnerabilitythroughMicrosoftEdgeandthenconvinceausertoviewthewebsite.
AnattackercouldalsoembedanActiveXcontrolmarked"safeforinitialization"inanapplicationorMicrosoftOfficedocumentthathoststheEdgerenderingengine.
Theattackercouldalsotakeadvantageofcompromisedwebsites,andwebsitesthatacceptorhostuser-providedcontentoradvertisements.
Thesewebsitescouldcontainspeciallycraftedcontentthatcouldexploitthevulnerability.
422821MissionCollegeBoulevardSantaClara,CA950548888478766www.
intelsecurity.
comTheinformationinthisdocumentisprovidedonlyforeducationalpurposesandfortheconvenienceofMcAfeecustomers.
Theinformationcontainedhereinissubjecttochangewithoutnotice,andisprovided"ASIS"withoutguaranteeorwarrantyastotheaccuracyorapplicabilityoftheinformationtoanyspecificsituationorcircumstance.
McAfeeandtheMcAfeelogoareregisteredtrademarksortrademarksofMcAfee,Inc.
oritssubsidiariesintheUnitedStatesandothercountries.
Othermarksandbrandsmaybeclaimedasthepropertyofothers.
Theproductplans,specificationsanddescriptionshereinareprovidedforinformationonlyandsubjecttochangewithoutnotice,andareprovidedwithoutwarrantyofanykind,expressorimplied.
Copyright2015McAfee,Inc.