CVE	Attack ID
CVE-2014-1812	0x43c0ef00
CVE-2019-0708	0x47900c00
CVE-2017-11774	0x45266f00
CVE-2018-15961	0x4527df00
CVE-2019-19781	0x45272800
CVE-2019-3398	0x4527e000
CVE-2019-11580	0x45285100
CVE-2018-13379	0x45274900
CVE-2020-0688	0x45279200
CVE-2019-11510	0x40200c00
CVE-2019-0604	0x45261c00
CVE-2020-10189	0x45282e00
CVE-2019-8394	0x4527de00
CVE-2016-0167	0x451a2400
CVE-2020-1472	0x47607900
CVE-2018-8581	0x4525a000

The December 15, 2020, NSP Signature Set contains the UDSs for Attack ID 0x43c0ef00 formerly linked above. For reference, they were:

• KB93838 - REGISTERED - NSP Emergency UDS Release Notes - UDS-NETBIOS-SS: Microsoft Windows Group Policy Preferences Password Elevation of Privilege Vulnerability (CVE-2014-1812)
• KB93851 - REGISTERED - NSP Emergency UDS Release Notes.

NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted.

McAfee DAT / Antivirus Scanner Content
Coverage for known binaries in this threat campaign is included in production DATs. More generic coverage that was formerly provided by Extra.DAT is contained in production AMCore 4289 (ENS) and DAT 9837 (VSE) and later, both released on December 16, 2020.

Global Threat Intelligence (GTI) Cloud also provides detection capability.
 

• GenericRXGM-ZG
• GenericRXIJ-FB
• GenericRXKK-BW
• GenericRXLJ-WX
• GenericRXLK-DW
• GenericRXLM-TO
• GenericRXLR-FP
• GenericRXLS-FV
• GenericRXLS-VC
• GenericRXMC-ZM
• GenericRXMF-TL
• GenericRXMG-VD
• GenericRXMI-FN
• GenericRXMI-UU
• GenericRXMN-CC
• GenericRXMO-QY
• GenericRXMO-SZ
• GenericRXMQ-PM
• GenericRXMU-MO
• HTA/Cobalstrike.a
• HackTool-FEY
• HackTool-Leak.a
• HackTool-Leak.c
• PUP-XGW-FN
• PUP-XME-SY
• RDN/Generic BackDoor
• RDN/Generic Downloader.x
• RDN/Generic.dx
• RDN/Generic.grp
• Trojan-Cobalt
• Trojan-FPWJ
• Trojan-FQND
• Trojan-FRQF
• Trojan-FSXF
• Trojan-FTEH
• W97M/Downloader.st
• ZeroLogon

Exploit Prevention / Host IPS
Coverage for ENS Threat Prevention Exploit Prevention and Host IPS is under evaluation. The following CVEs have been confirmed.
 

CVE-2019-0708	RCE of Windows Remote Desktop Services (RDS)	Covered by existing Network Intrusion Prevention System (NIPS) signature 6137
CVE-2016-0167	Local privilege escalation on older versions of Microsoft Windows	Expected coverage by Generic Privilege Escalation Prevention (GPEP)
CVE-2020-1472	Microsoft Active Directory escalation of privileges	Covered by 6182
CVE-2020-10189	RCE for ZoHo ManageEngine Desktop Central	Expert Rule below
CVE-2019-8394	Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload	Expert Rule below
CVE-2020-0688 CVE-2019-0604	IIS Enveloping Signature	Expert Rule below

Expert Rule for CVE-2020-10189 - RCE for ZoHo ManageEngine Desktop Central:
 

Rule name	Block ZoHo ManageEngine Desktop Central RCE
Severity	High
Action	Block, Report
Rule type	Processes
Rule content	Rule { Process { Include OBJECT_NAME { -v "**\\DesktopCentral_Server\\jre\\bin\\java.exe"  } Include PROCESS_CMD_LINE { -v "**DCStarter**" } } Target { Match PROCESS { Include OBJECT_NAME { -v "cmd.exe" } Include OBJECT_NAME { -v "powershell.exe" } Include OBJECT_NAME { -v "cscript.exe" } Include OBJECT_NAME { -v "wscript.exe" } Exclude PROCESS_CMD_LINE { -v "**.bat**" } Include -access "CREATE" } } }
Notes (Optional)	CVE-2020-10189

Expert Rule for CVE-2019-8394 - Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload:
 

Rule name	Block Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload
Severity	High
Action	Block, Report
Rule type	Files
Rule content	Rule { Process { Include OBJECT_NAME { -v "**\\ManageEngine\\ServiceDesk\\jre\\bin\\java.exe"  } } Target { Match FILE { Include OBJECT_NAME { -v "**\\ManageEngine\\ServiceDesk\\custom\\login\\*.jsp" } Include -access "WRITE" } } }
Notes (Optional)	CVE-2019-8394

Expert Rule for CVE-2020-0688 and CVE-2019-060. This rule is an enveloping signature that prevents attacks on the IIS process using deserialization type vulnerabilities:
 

Rule name	IIS Enveloping Signature
Severity	High
Action	Block, Report
Rule type	Processes
Rule content	Rule { Process { Include OBJECT_NAME { -v "w3wp.exe"  } } Target { Match PROCESS { Include OBJECT_NAME { -v "cmd.exe" } Include OBJECT_NAME { -v "powershell.exe" } Include OBJECT_NAME { -v "cscript.exe" } Include OBJECT_NAME { -v "wscript.exe" } Include OBJECT_NAME { -v "mshta.exe" } Include -access "CREATE" } } }
Notes (Optional)	CVE-2020-0688 CVE-2019-0604