Daily Ruleset Update Summary 2022/10/19

dumiller · October 19, 2022, 8:46pm

Summary:

40 new OPEN, 48 new PRO (40 + 8) Apache Text4Shell RCE, Polonuim CnC, Win32/WarHawk

Due to the observation of an internal holiday, there will be no release on Friday October 21, 2022.

Thanks @sysdig, @pwntester, @InQuest, @pr0xylife, @Gi7w0rm

Please share issues, feedback, and requests at Feedback

Added rules:

Open:

2039445 - ET USER_AGENTS Observed Uclient User-Agent (user_agents.rules)
2039446 - ET INFO Blokada DNS Over HTTPS Certificate Inbound (info.rules)
2039447 - ET INFO Brahma World DNS Over HTTPS Certificate Inbound (info.rules)
2039448 - ET INFO Bortzmeyer DNS Over HTTPS Certificate Inbound (info.rules)
2039449 - ET INFO Charter DNS Over HTTPS Certificate Inbound (info.rules)
2039450 - ET INFO CIRA Canadian Shield DNS Over HTTPS Certificate Inbound (info.rules)
2039451 - ET INFO Cisco Umbrella (OpenDNS) DNS Over HTTPS Certificate Inbound (info.rules)
2039452 - ET INFO Cisco Umbrella (OpenDNS) DNS Over HTTPS Certificate Inbound (info.rules)
2039453 - ET INFO ControlId DNS Over HTTPS Certificate Inbound (info.rules)
2039454 - ET INFO CZ.NIC DNS Over HTTPS Certificate Inbound (info.rules)
2039455 - ET INFO DigitalSize DNS Over HTTPS Certificate Inbound (info.rules)
2039456 - ET INFO DNSlow DNS Over HTTPS Certificate Inbound (info.rules)
2039457 - ET INFO DNSPod DNS Over HTTPS Certificate Inbound (info.rules)
2039458 - ET INFO DnsCrypt DNS Over HTTPS Certificate Inbound (info.rules)
2039459 - ET INFO DnsCrypt DNS Over HTTPS Certificate Inbound (info.rules)
2039460 - ET INFO DNS For Family DNS Over HTTPS Certificate Inbound (info.rules)
2039461 - ET INFO DNSForge DNS Over HTTPS Certificate Inbound (info.rules)
2039462 - ET INFO dnsHome DNS Over HTTPS Certificate Inbound (info.rules)
2039463 - ET INFO DNSlify DNS Over HTTPS Certificate Inbound (info.rules)
2039464 - ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Inbound) (exploit.rules)
2039465 - ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Outbound) (exploit.rules)
2039466 - ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Inbound) (exploit.rules)
2039467 - ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Outbound) (exploit.rules)
2039468 - ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound) (exploit.rules)
2039469 - ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound) (exploit.rules)
2039470 - ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound) (exploit.rules)
2039471 - ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound) (exploit.rules)
2039472 - ET INFO URL Shortener Service Domain in DNS Lookup (rebrand .ly) (info.rules)
2039473 - ET INFO URL Shortener Service Domain in DNS Lookup (bitly .ws) (info.rules)
2039474 - ET INFO URL Shortener Service Domain in DNS Lookup (is .gd) (info.rules)
2039475 - ET INFO URL Shortener Service Domain in DNS Lookup (snip .ly) (info.rules)
2039476 - ET MALWARE Suspected POLONIUM CnC Domain (consulting-ukraine .tk) in DNS Lookup (malware.rules)
2039477 - ET MALWARE Suspected POLONIUM CnC Domain (ukrsupport .info) in DNS Lookup (malware.rules)
2039478 - ET MALWARE Suspected Polonium CnC Initial Checkin M1 (malware.rules)
2039479 - ET MALWARE Suspected Polonium CnC Initial Checkin M2 (malware.rules)
2039480 - ET MALWARE Suspected Polonium CnC Checkin (get_cmd) (malware.rules)
2039481 - ET MALWARE Suspected Polonium CnC Checkin (result.php - process list) M1 (malware.rules)
2039482 - ET MALWARE Suspected Polonium CnC Checkin (result.php - process list) M2 (malware.rules)
2039483 - ET PHISHING Successful mail .ru Credential Phish (phishing.rules)
2039484 - ET MALWARE SocGholish CnC Domain in DNS Lookup (discover .jsfconnections .com) (malware.rules)

Pro:

2852634 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-10-19 1) (coinminer.rules)
2852635 - ETPRO MALWARE Win32/WarHawk Checkin Activity (malware.rules)
2852636 - ETPRO MALWARE Win32/WarHawk Activity (ping) (malware.rules)
2852637 - ETPRO MALWARE Win32/WarHawk Activity (task) (malware.rules)
2852638 - ETPRO MALWARE Win32/WarHawk Activity (cmd) (malware.rules)
2852639 - ETPRO MALWARE Win32/WarHawk Activity (filemgr) (malware.rules)
2852640 - ETPRO MALWARE Win32/WarHawk Activity (filemgr) M2 (malware.rules)
2852641 - ETPRO MALWARE Win32/WarHawk Activity (fileupload) (malware.rules)

Modified active rules:

2039422 - ET USER_AGENTS Supicious User-Agent (RT/1.0) (user_agents.rules)
2844078 - ETPRO MALWARE Win32/Agentb.jzps CnC Host Checkin (malware.rules)

Modified inactive rules:

2001980 - ET POLICY SSH Client Banner Detected on Unusual Port (policy.rules)

Topic	Replies	Views
Daily Ruleset Update Summary 2022/10/20 Ruleset Updates	113	October 20, 2022
Daily Ruleset Update Summary 2022/10/24 Ruleset Updates	234	October 24, 2022
Ruleset Update Summary - 2024/01/24 - v10513 Ruleset Updates	289	January 24, 2024
Ruleset Update Summary - 2024/01/31 - v10520 Ruleset Updates	378	January 31, 2024
Ruleset Update Summary - 2023/12/04 - v10478 Ruleset Updates	504	December 4, 2023