Summary:
19 new OPEN, 24 new PRO (19 + 5) MSSQL Maggie Backdoor, FortiOS Auth Bypass, Various Phish, Arid Viper.
Thanks @MBThreatIntel, @cluster25_io, @DCSO_CyTec, @jaydinbas, @botlabsDev
Please share issues, feedback, and requests at Feedback
Added rules:
Open:
2039171 - ET MALWARE Arid Viper APT Related Activity (POST) (malware.rules)
2039172 - ET MALWARE Magecart Related Domain in DNS Lookup (cdn-mediahub .com) (malware.rules)
2039173 - ET WEB_SERVER Cluster25 FortiOS Possible Auth Bypass Attempt (web_server.rules)
2039174 - ET PHISHING Generic Credential Phish Landing Page 2022-10-12 (phishing.rules)
2039175 - ET PHISHING Successful Generic Credential Phish 2022-10-12 (phishing.rules)
2039176 - ET PHISHING Generic Credential Phish 2022-10-12 (phishing.rules)
2039177 - ET MALWARE Mekotio Banking Trojan CnC Domain (zautoservice .eu) in DNS Lookup (malware.rules)
2039178 - ET INFO Observed File Sharing Service (www .uplooder .net) in DNS Lookup (info.rules)
2039179 - ET MALWARE Win32/Spy.Mekotio.EY Payload Request (malware.rules)
2039180 - ET INFO Observed File Sharing Service Domain (www .uplooder .net) in TLS SNI (info.rules)
2039181 - ET INFO MSSQL SELECT SPID Query Observed (info.rules)
2039182 - ET MALWARE MSSQL maggie backdoor Accessall Query Observed (malware.rules)
2039183 - ET MALWARE MSSQL maggie backdoor ListIP Query Observed (malware.rules)
2039184 - ET MALWARE MSSQL maggie backdoor ls Query Observed (malware.rules)
2039185 - ET MALWARE MSSQL maggie backdoor sysinfo Query Observed (malware.rules)
2039186 - ET MALWARE MSSQL maggie backdoor whoami Query Observed (malware.rules)
2039187 - ET MALWARE MSSQL maggie backdoor sp_addextendedproc Command Observed (malware.rules)
2039188 - ET INFO MSSQL sp_addextendedproc Command Observed (info.rules)
2039189 - ET MALWARE VBA/Agent.AAV CnC Checkin (malware.rules)
Pro:
2852541 - ETPRO PHISHING Successful Bancolombia Phish 2022-10-12 (phishing.rules)
2852542 - ETPRO MALWARE Win32/TrojanDownloader.Agent.K CnC Activity (malware.rules)
2852543 - ETPRO MALWARE Generic Malicious Download Web Inject (malware.rules)
Modified active rules:
2850598 - ETPRO MALWARE Ettersilent MalDoc C2 Beacon (malware.rules)