Ruleset Update Summary - 2022/11/21 - v10178

Ruleset Updates
1

Summary:

5 new OPEN, 11 new PRO (5 + 6)

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

  • 2039813 - ET HUNTING 7-zip Executable Requested (GET) (hunting.rules)
  • 2039814 - ET INFO DYNAMIC_DNS Query to ath .cx Domain (info.rules)
  • 2039815 - ET MALWARE Win32/Filecoder.OJC CnC Checkin (malware.rules)
  • 2039816 - ET MALWARE Golang Aurora Stealer Exfil Activity (malware.rules)
  • 2039817 - ET MALWARE SocGholish Domain in DNS Lookup (mini .ptipexcel .com) (malware.rules)

Pro:

  • 2852835 - ETPRO MALWARE Win32/Remcos RAT Checkin 850 (malware.rules)
  • 2852836 - ETPRO MALWARE Win32/Remcos RAT Checkin 851 (malware.rules)
  • 2852837 - ETPRO PHISHING Successful Generic Phish 2022-11-21 (phishing.rules)
  • 2852838 - ETPRO PHISHING Successful Cembra Money Bank Phish 2022-11-21 (phishing.rules)
  • 2852839 - ETPRO PHISHING Successful Twitter Credential Phish 2022-11-18 (phishing.rules)
  • 2852840 - ETPRO PHISHING Twitter Phish Landing Page 2022-11-18 (phishing.rules)

Modified active rules:

  • 2016379 - ET INFO JAR Containing Executable Downloaded (info.rules)
  • 2023231 - ET WEB_SERVER HTTP Request to a *.33db9538.com domain - Anuna Checkin - Compromised PHP Site (web_server.rules)
  • 2023234 - ET WEB_SERVER HTTP Request to a *.54dfa1cb.com domain - Anuna Checkin - Compromised PHP Site (web_server.rules)
  • 2023668 - ET INFO Unconfigured nginx Access (info.rules)
  • 2023882 - ET INFO HTTP Request to a *.top domain (info.rules)
  • 2025553 - ET INFO Possible Rogue LoJack Asset Tracking Agent (info.rules)
  • 2025627 - ET INFO [eSentire] Possible Kali Linux Updates (info.rules)
  • 2026758 - ET INFO External Host Probing for ChromeCast Devices (info.rules)
  • 2026888 - ET INFO DNS Query for Suspicious .icu Domain (info.rules)
  • 2026889 - ET INFO Suspicious Domain (*.icu) in TLS SNI (info.rules)
  • 2026988 - ET INFO PowerShell NoProfile Command Received In Powershell Stagers (info.rules)
  • 2026995 - ET INFO PowerShell DownloadString Command Common In Powershell Stagers (info.rules)
  • 2027251 - ET INFO Dotted Quad Host DOC Request (info.rules)
  • 2027265 - ET INFO Dotted Quad Host PDF Request (info.rules)
  • 2027863 - ET INFO Observed DNS Query to .biz TLD (info.rules)
  • 2027864 - ET INFO Observed DNS Query to .okinawa TLD (info.rules)
  • 2027865 - ET INFO Observed DNS Query to .cloud TLD (info.rules)
  • 2027866 - ET INFO Observed DNS Query to .desi TLD (info.rules)
  • 2027867 - ET INFO Observed DNS Query to .life TLD (info.rules)
  • 2027868 - ET INFO Observed DNS Query to .work TLD (info.rules)
  • 2027870 - ET INFO Observed DNS Query to .world TLD (info.rules)
  • 2027871 - ET INFO Observed DNS Query to .fit TLD (info.rules)
  • 2027874 - ET INFO HTTP Request to Suspicious *.cloud Domain (info.rules)
  • 2027876 - ET INFO HTTP Request to Suspicious *.life Domain (info.rules)
  • 2027877 - ET INFO HTTP Request to Suspicious *.work Domain (info.rules)
  • 2027879 - ET INFO HTTP Request to Suspicious *.world Domain (info.rules)
  • 2033830 - ET MALWARE HCRootkit CnC Domain in DNS Lookup (hkxpqdtgsucylodaejmzmtnkpfvojabe .com) (malware.rules)
  • 2033831 - ET MALWARE HCRootkit CnC Domain in DNS Lookup (etzndtcvqvyxajpcgwkzsoweaubilflh .com) (malware.rules)
  • 2033832 - ET MALWARE HCRootkit CnC Domain in DNS Lookup (esnoptdkkiirzewlpgmccbwuynvxjumf .name) (malware.rules)
  • 2034561 - ET INFO Observed DNS Query to Commonly Abused Preview Domain (preview-domain .com) (info.rules)
  • 2034634 - ET INFO webhook .site in TLS SNI (info.rules)
  • 2034635 - ET INFO Python BaseHTTP ServerBanner (info.rules)
  • 2035227 - ET INFO URL Shortener Service Domain in DNS Lookup (vk .sv) (info.rules)
  • 2035538 - ET INFO infinityfree .net Domain in DNS Lookup (info.rules)
  • 2035655 - ET INFO Image Hosting Domain in DNS Lookup (hizliresim .com) (info.rules)
  • 2036642 - ET MALWARE Bitter APT Related Domain in DNS Lookup (emshedulersvc .com) (malware.rules)
  • 2036644 - ET MALWARE Bitter APT Related Domain in DNS Lookup (diyefosterfeeds .com) (malware.rules)
  • 2036873 - ET INFO Peer-to-Peer File Sharing Service Domain in DNS Lookup (ipfs .io) (info.rules)
  • 2037269 - ET INFO Custom Logo Domain Domain in DNS Lookup (logodownload .org) (info.rules)
  • 2037763 - ET INFO Observed File Sharing Domain (roamresearch .com in TLS SNI) (info.rules)
  • 2038532 - ET MALWARE Shuckworm/Gamaredon CnC Domain (heato .ru) in DNS Lookup (malware.rules)
  • 2038533 - ET MALWARE Shuckworm/Gamaredon CnC Domain (motoristo .ru) in DNS Lookup (malware.rules)
  • 2038741 - ET INFO URL Shortening Service Domain in DNS Lookup (www .temporary-url .com) (info.rules)
  • 2038743 - ET MALWARE Suspected Win32/TinyNode Activity (Outbound) (malware.rules)
  • 2819915 - ETPRO MALWARE Jupiter Banker/Bolek/Kbot DNS Lookup (malware.rules)
  • 2822354 - ETPRO INFO DNS Query to server.com (Possible Misconfiguration) (info.rules)
  • 2823117 - ETPRO INFO DNS TXT Response Contains URL (info.rules)
  • 2823554 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup (mobile_malware.rules)
  • 2827579 - ETPRO INFO .moe Domain in TLS SNI (info.rules)
  • 2828218 - ETPRO MALWARE Cerber Domain Observed (1mudaw .top in TLS SNI) (malware.rules)
  • 2832311 - ETPRO MALWARE SocketPlayer Netflix Killswitch DNS Lookup 3 (asdkaaskdlaksdjjkjsdnddasakkkaksjdjndkjansdkswda) (malware.rules)
  • 2833171 - ETPRO INFO Dynamic DNS Provider DNS Lookup (gotdns .ch) (info.rules)
  • 2833891 - ETPRO MALWARE SocketPlayer Netflix Killswitch DNS Lookup 5 (opkqpowekdasdoaijsdoiiowqewqewowekkjndkjansdka) (malware.rules)
  • 2834878 - ETPRO HUNTING Suspicious Registrar Nameservers in DNS Response (internet .bs) (hunting.rules)
  • 2838131 - ETPRO INFO HTTP Request with Lowercase connection Header Observed (info.rules)
  • 2838132 - ETPRO INFO HTTP Request with Lowercase accept Header Observed (info.rules)
  • 2838428 - ETPRO MALWARE Observed Malicious SSL Cert (Inception Group CnC) (malware.rules)
  • 2838429 - ETPRO MALWARE Observed Malicious SSL Cert (Inception Group CnC) (malware.rules)
  • 2844625 - ETPRO MALWARE Observed Glupteba CnC Domain in TLS SNI (malware.rules)
  • 2849245 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 158 (mobile_malware.rules)
  • 2851070 - ETPRO INFO AdGuard DNS Over HTTPS Certificate Inbound (info.rules)
  • 2851362 - ETPRO MALWARE Win32/MetaStealer Related Activity (GET) (malware.rules)
  • 2851363 - ETPRO MALWARE Win32/MetaStealer Related Activity (POST) (malware.rules)

Disabled and modified rules:

  • 2019244 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1 (web_server.rules)
  • 2019245 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2 (web_server.rules)
  • 2019246 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3 (web_server.rules)
  • 2019247 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4 (web_server.rules)
  • 2019248 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5 (web_server.rules)
  • 2019249 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6 (web_server.rules)
  • 2019250 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7 (web_server.rules)
  • 2019251 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8 (web_server.rules)
  • 2019252 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9 (web_server.rules)
  • 2019253 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10 (web_server.rules)
  • 2019254 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11 (web_server.rules)
  • 2019255 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12 (web_server.rules)
  • 2808263 - ETPRO WEB_CLIENT Possible Adobe Flash CVE-2014-0536 (web_client.rules)
  • 2808301 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-2801) (web_client.rules)
  • 2808302 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-2804) (web_client.rules)
  • 2808757 - ETPRO WEB_CLIENT Possible Internet Explorer Remote Code Execution (CVE-2014-4080) (web_client.rules)
  • 2808758 - ETPRO WEB_CLIENT Possible Internet Explorer Remote Code Execution (CVE-2014-4081) (web_client.rules)
  • 2808759 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free (CVE-2014-4084) (web_client.rules)
  • 2808762 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free (CVE-2014-4089) (web_client.rules)
  • 2808764 - ETPRO WEB_CLIENT Possible Internet Explorer Use-After-Free (CVE-2014-4094) (web_client.rules)

Removed rules:

  • 2028609 - ET MALWARE Magecart CnC Domain Observed in DNS Query (malware.rules)
  • 2029058 - ET MALWARE Win32/Beapy CnC Domain in DNS Lookup (malware.rules)
  • 2034072 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup (malware.rules)
  • 2034074 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup (malware.rules)
  • 2034075 - ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup (malware.rules)
  • 2037719 - ET MALWARE Bitter APT Domain in DNS Lookup (emshedulersvc .com) (malware.rules)
  • 2037720 - ET MALWARE Bitter APT Domain in DNS Lookup (diyefosterfeeds .com) (malware.rules)
  • 2038908 - ET MALWARE Gamaredon Payload Delivery Domain (heato .ru) in DNS Lookup (malware.rules)
  • 2038909 - ET MALWARE Gamaredon Payload Delivery Domain (motoristo .ru) in DNS Lookup (malware.rules)
  • 2819861 - ETPRO MALWARE MultiGrainPOS Checkin (malware.rules)
  • 2819862 - ETPRO MALWARE MultiGrainPOS Checkin (malware.rules)
  • 2820293 - ETPRO MALWARE Bolek/Kbot CnC DNS Lookup (knutesecos.com) (malware.rules)
  • 2824089 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup (mobile_malware.rules)
  • 2825179 - ETPRO MALWARE Carbanak PowerShell DNS TXT CnC Beacon 2 (malware.rules)
  • 2826193 - ETPRO MALWARE ABUSE.CH TorrentLocker Payment Domain (flackbon . tw) (malware.rules)
  • 2828213 - ETPRO MALWARE Sage Domain (er29sl .com in DNS Lookup) (malware.rules)
  • 2828268 - ETPRO MALWARE Malicious Domain CStrike C2 (blockbitcoin .com) in DNS Lookup (malware.rules)
  • 2828928 - ETPRO MALWARE PowerRatankba DNS Lookup 8 (malware.rules)
  • 2832214 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda CnC) (malware.rules)
  • 2835199 - ETPRO MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC) (malware.rules)
  • 2835695 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2839083 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2839085 - ETPRO MALWARE Observed Malicious SSL Cert (SONE CnC) (malware.rules)
  • 2839796 - ETPRO MALWARE Observed Malicious SSL Cert (GRIFFON CnC) (malware.rules)
  • 2840391 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) 2020-01-10 (malware.rules)
  • 2840478 - ETPRO MALWARE Observed Malicious SSL Cert (Get2 CnC) (malware.rules)
  • 2841826 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2842774 - ETPRO MALWARE Observed Malicious SSL Cert (AZORult CnC) (malware.rules)
  • 2843056 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2843747 - ETPRO MALWARE Observed Taurus Stealer CnC Domain in TLS SNI (malware.rules)
  • 2844835 - ETPRO MALWARE Observed Malicious SSL Cert (IcedID) (malware.rules)
  • 2845032 - ETPRO INFO Observed DNS Over HTTPS Domain in TLS SNI (dns .dns-over-https .com) (info.rules)
  • 2845082 - ETPRO MOBILE_MALWARE Android/Hiddad.AJA DNS Lookup (mobile_malware.rules)
  • 2845593 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
  • 2845610 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) (malware.rules)
  • 2845681 - ETPRO MOBILE_MALWARE Android Spy Easyphonetrack TLS SNI (mobile_malware.rules)
  • 2847997 - ETPRO MALWARE Observed Glupteba CnC Domain in TLS SNI (malware.rules)
  • 2848268 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 25 (mobile_malware.rules)
  • 2848596 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 77 (mobile_malware.rules)
  • 2848598 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 79 (mobile_malware.rules)
  • 2848601 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 82 (mobile_malware.rules)
  • 2849065 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 128 (mobile_malware.rules)
  • 2849140 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 140 (mobile_malware.rules)
  • 2849204 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 152 (mobile_malware.rules)
  • 2849419 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 172 (mobile_malware.rules)
  • 2849631 - ETPRO MOBILE_MALWARE Android/Agent.BQX (TLS SNI) 178 (mobile_malware.rules)
  • 2851715 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BWB CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2851716 - ETPRO MOBILE_MALWARE Android/Spy.Agent.BZV CnC Domain in DNS Lookup (mobile_malware.rules)
  • 2852643 - ETPRO MALWARE WinGo/Agent.IE Exfil (malware.rules)