Ruleset Update Summary - 2022/11/16 - v10174

Summary:

6 new OPEN, 10 new PRO (6 + 4)

Thanks @malware_traffic

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.


Added rules:

Open:

  • 2039793 - ET MALWARE Observed Malicious SSL/TLS Certificate (CobaltStrike C2) (malware.rules)
  • 2039794 - ET EXPLOIT GL iNet MTN300n Command Injection Attempt Inbound (CVE-2022-31898) (exploit.rules)
  • 2039795 - ET INFO GameHouse License Check (info.rules)
  • 2039796 - ET INFO External File Sharing Service in DNS Lookup (sharefile .com) (info.rules)
  • 2039797 - ET MALWARE Win32/VB.PNU CnC Checkin (malware.rules)
  • 2039798 - ET MALWARE SocGholish Domain in DNS Lookup (factors .djbel .com) (malware.rules)

Pro:

  • 2852822 - ETPRO MALWARE Win32/Remcos RAT Checkin 848 (malware.rules)
  • 2852823 - ETPRO MALWARE Win32/Remcos RAT Checkin 849 (malware.rules)
  • 2852824 - ETPRO MALWARE Maldoc Related Domain in DNS Lookup (malware.rules)
  • 2852825 - ETPRO MALWARE Maldoc Related Domain in DNS Lookup (malware.rules)

Modified active rules:

  • 2827990 - ETPRO MALWARE Malicious Miner Downloading CoinMiner Configuration M2 (malware.rules)
  • 2843641 - ETPRO MALWARE Win32/Alyak.G Variant CnC Activity (malware.rules)

Disabled and modified rules:

  • 2807998 - ETPRO EXPLOIT Possible CVE-2014-0515 Flash Buffer Overflow (exploit.rules)
  • 2808038 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0310) (web_client.rules)
  • 2808144 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1766) (web_client.rules)
  • 2808145 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free 1 (CVE-2014-1785) (web_client.rules)
  • 2808146 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free 2 (CVE-2014-1785) (web_client.rules)
  • 2808148 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1791) (web_client.rules)
  • 2808231 - ETPRO WEB_CLIENT Possible Acrobat Reader Privilaged API Acess CVE-2014-0521 (web_client.rules)