The following NIDS signature updates are available via liveupdate for Dragon versions 7.x/8.x:
IIS:WEBDAV-REMOTE-CODE
UPDATE-TYPE: New Signature
CLASSIFICATION: BETA
DESCRIPTION: There is a vulnerability in the Microsoft IIS server on Windows XP and Windows 2003 that may lead to remote code execution. The vulnerability is in the processing of specific HTTP headers within IIS. Microsoft has released a patch for this vulnerability.
REFERENCE: URLREF
http://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py
REFERENCE: URLREF
https://support.microsoft.com/en-us/help/3197835/description-of-the-security-update-for-windows-xp-a...
REFERENCE: URLREF
http://docs.emergingthreats.net/2024107
REFERENCE: CVE
CVE-2017-7269
MS:KERBEROS-PRIV-ESCAL
UPDATE-TYPE: New Signature
CLASSIFICATION: BETA
DESCRIPTION: A privilege escalation vulnerability exists within Microsoft Windows Kerberos that allows for domain user to elevate to a domain administrator. Microsoft has released a patch for this vulnerability. This signature looks for pykek toolkit being used to exploit this vulnerability.
REFERENCE: URLREF
https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
REFERENCE: URLREF
http://github.com/bidord/pykek
REFERENCE: URLREF
http://docs.emergingthreats.net/2019897
REFERENCE: CVE
CVE-2014-6324
MS:KERBEROS-PRIV-ESCAL-2
UPDATE-TYPE: New Signature
CLASSIFICATION: BETA
DESCRIPTION: A privilege escalation vulnerability exists within Microsoft Windows Kerberos that allows for domain user to elevate to a domain administrator. Microsoft has released a patch for this vulnerability. This signature looks for impacket being used to exploit this vulnerability.
REFERENCE: URLREF
https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
REFERENCE: URLREF
http://code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py
REFERENCE: URLREF
http://docs.emergingthreats.net/2019922
REFERENCE: CVE
CVE-2014-6324
MS:SMB-REQUEST-REMOTE
UPDATE-TYPE: New Signature
CLASSIFICATION: BETA
DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry.
REFERENCE: URLREF
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/
REFERENCE: URLREF
http://docs.emergingthreats.net/2024297
REFERENCE: CVE
CVE-2017-0143
MS:SMB2-PROCESSID-NEGOTIATE
UPDATE-TYPE: New Signature
CLASSIFICATION: BETA
DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMBv2 packets. Microsoft has released a patch (MS09-050) for this vulnerability.
REFERENCE: URLREF
http://www.exploit-db.com/exploits/14674/
REFERENCE: URLREF
http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx
REFERENCE: URLREF
http://docs.emergingthreats.net/2012063
REFERENCE: CVE
CVE-2009-3103
MS:SMBV1-REQUEST-REMOTE
UPDATE-TYPE: Modified Signature
CLASSIFICATION: BETA
DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry.
REFERENCE: URLREF
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/
REFERENCE: URLREF
http://docs.emergingthreats.net/2024217
REFERENCE: CVE
CVE-2017-0144
MS:SMBV1-REQUEST-REMOTE2
UPDATE-TYPE: Modified Signature
CLASSIFICATION: BETA
DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. There are other signatures that depend on this signature being enabled.
REFERENCE: URLREF
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/
REFERENCE: URLREF
http://docs.emergingthreats.net/2024220
REFERENCE: CVE
CVE-2017-0144
MS:SMBV1-RESPONSE-REMOTE
UPDATE-TYPE: Modified Signature
CLASSIFICATION: BETA
DESCRIPTION: There is a vulnerability in Microsoft Windows that may lead to remote code execution. The vulnerability is in the processing of SMB packets. Microsoft has released a patch (MS17-010) for this vulnerability. The vulnerability is also being used in ransomeware attacks, including WannaCry. This signature tests for the "smbv1.remote" FlowTag being set before generating an event on network traffic. This FlowTag is defined by the MS:SMBV1-REQUEST-REMOTE signature, which is required for this signature to generate an event.
REFERENCE: URLREF
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx/
REFERENCE: URLREF
http://docs.emergingthreats.net/2024218
REFERENCE: CVE
CVE-2017-0144