Daily Ruleset Update Summary 2022/10/24

Ruleset Updates
1

Summary:
25 new OPEN, 30 new PRO (25 + 5) TA452, Cobalt Strike, Various Phish, Various DNS rules

Thanks @korteke @StopMalvertisin @safebreach @BlackBerry @Fortinet

Please share issues, feedback, and requests at Feedback

Added rules:

Open:

2039512 - ET MALWARE MSIL/InfoStealer Variant Activity (POST) (malware.rules)
2039513 - ET MALWARE TA452 Related Backdoor Activity (GET) (malware.rules)
2039514 - ET MALWARE TA452 Related Backdoor Activity (POST) (malware.rules)
2039515 - ET MALWARE TA452 Related Backdoor Activity (POST) (malware.rules)
2039516 - ET INFO MegaNerd DNS Over HTTPS Certificate Inbound (info.rules)
2039517 - ET INFO Mullvad DNS Over HTTPS Certificate Inbound (info.rules)
2039518 - ET INFO Mullvad DNS Over HTTPS Certificate Inbound (info.rules)
2039519 - ET INFO NextDNS DNS Over HTTPS Certificate Inbound (info.rules)
2039520 - ET INFO Njalla DNS Over HTTPS Certificate Inbound (info.rules)
2039521 - ET INFO Open Internet DNS Over HTTPS Certificate Inbound (info.rules)
2039522 - ET INFO Paesa DNS Over HTTPS Certificate Inbound (info.rules)
2039523 - ET INFO Plan9-dns DNS Over HTTPS Certificate Inbound (info.rules)
2039524 - ET INFO Plan9-dns DNS Over HTTPS Certificate Inbound (info.rules)
2039525 - ET INFO PureDNS DNS Over HTTPS Certificate Inbound (info.rules)
2039526 - ET INFO Plan9-dns DNS Over HTTPS Certificate Inbound (info.rules)
2039527 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (pedaily .online) (malware.rules)
2039528 - ET MALWARE Cobalt Strike Related Domain in DNS Lookup (ellechina .online) (malware.rules)
2039529 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (gov .mil .ua .aspx .io) (malware.rules)
2039530 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (notfiled .com) (malware.rules)
2039531 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (advanced-ip-scanners .com) (malware.rules)
2039532 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (advanced-ip-scaner .com) (malware.rules)
2039533 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (4qzm .com) (malware.rules)
2039534 - ET MALWARE Observed DNS Query to ROMCOM RAT Domain (www .get .adobe .com .aspx .io) (malware.rules)
2039535 - ET PHISHING Successful BoA Credential Phish 2022-10-24 (phishing.rules)
2039536 - ET PHISHING Successful Citizens Bank Credential Phish 2022-10-24 (phishing.rules)

Pro:

2852646 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-10-20 1) (coinminer.rules)
2852647 - ETPRO MALWARE Win32/Remcos RAT Checkin 846 (malware.rules)
2852648 - ETPRO PHISHING Successful Bank of America Phish 2022-10-24 (phishing.rules)

Modified active rules:

2039464 - ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Inbound) (exploit.rules)
2039465 - ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Outbound) (exploit.rules)
2039466 - ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Inbound) (exploit.rules)
2039467 - ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Outbound) (exploit.rules)
2039468 - ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound) (exploit.rules)
2039469 - ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound) (exploit.rules)
2039470 - ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Inbound) (exploit.rules)
2039471 - ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Outbound) (exploit.rules)
2804765 - ETPRO MALWARE Dirt Jumper/Russkill v5 Checkin (malware.rules)