Ruleset Update Summary - 2022/12/06 - v10189

Ruleset Updates
1

Summary:

148 new OPEN, 156 new PRO (148 + 8)

Thanks @eclypsium

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

  • 2041785 - ET INFO DYNAMIC_DNS Query to a *.ezwebsites .com Domain (info.rules)
  • 2041786 - ET INFO DYNAMIC_DNS HTTP Request to a *.ezwebsites .com Domain (info.rules)
  • 2041787 - ET INFO DYNAMIC_DNS Query to a *.a-quo .com Domain (info.rules)
  • 2041788 - ET INFO DYNAMIC_DNS HTTP Request to a *.a-quo .com Domain (info.rules)
  • 2041789 - ET INFO DYNAMIC_DNS Query to a *.ayasophia .com Domain (info.rules)
  • 2041790 - ET INFO DYNAMIC_DNS HTTP Request to a *.ayasophia .com Domain (info.rules)
  • 2041791 - ET INFO DYNAMIC_DNS Query to a *.lain .ch Domain (info.rules)
  • 2041792 - ET INFO DYNAMIC_DNS HTTP Request to a *.lain .ch Domain (info.rules)
  • 2041793 - ET INFO DYNAMIC_DNS HTTP Request to a *.lqtai .com Domain (info.rules)
  • 2041794 - ET INFO DYNAMIC_DNS Query to a *.mrcork .com Domain (info.rules)
  • 2041795 - ET INFO DYNAMIC_DNS HTTP Request to a *.mrcork .com Domain (info.rules)
  • 2041796 - ET INFO DYNAMIC_DNS Query to a *.veta .su Domain (info.rules)
  • 2041797 - ET INFO DYNAMIC_DNS HTTP Request to a *.veta .su Domain (info.rules)
  • 2041798 - ET INFO DYNAMIC_DNS Query to a *.automotive .si Domain (info.rules)
  • 2041799 - ET INFO DYNAMIC_DNS HTTP Request to a *.automotive .si Domain (info.rules)
  • 2041800 - ET INFO DYNAMIC_DNS Query to a *.homaxcorp .com Domain (info.rules)
  • 2041801 - ET INFO DYNAMIC_DNS HTTP Request to a *.homaxcorp .com Domain (info.rules)
  • 2041802 - ET INFO DYNAMIC_DNS Query to a *.antiphone .net Domain (info.rules)
  • 2041803 - ET INFO DYNAMIC_DNS HTTP Request to a *.antiphone .net Domain (info.rules)
  • 2041804 - ET INFO DYNAMIC_DNS Query to a *.leonardocastano .com .ar Domain (info.rules)
  • 2041805 - ET INFO DYNAMIC_DNS HTTP Request to a *.leonardocastano .com .ar Domain (info.rules)
  • 2041806 - ET INFO DYNAMIC_DNS Query to a *.rogerthedog .com Domain (info.rules)
  • 2041807 - ET INFO DYNAMIC_DNS HTTP Request to a *.rogerthedog .com Domain (info.rules)
  • 2041808 - ET INFO DYNAMIC_DNS Query to a *.visalawyer .co .uk Domain (info.rules)
  • 2041809 - ET INFO DYNAMIC_DNS HTTP Request to a *.visalawyer .co .uk Domain (info.rules)
  • 2041810 - ET INFO DYNAMIC_DNS Query to a *.blue-jade .net Domain (info.rules)
  • 2041811 - ET INFO DYNAMIC_DNS HTTP Request to a *.blue-jade .net Domain (info.rules)
  • 2041812 - ET INFO DYNAMIC_DNS Query to a *.eternalimpressions .com Domain (info.rules)
  • 2041813 - ET INFO DYNAMIC_DNS HTTP Request to a *.eternalimpressions .com Domain (info.rules)
  • 2041814 - ET INFO DYNAMIC_DNS Query to a *.galipan .org Domain (info.rules)
  • 2041815 - ET INFO DYNAMIC_DNS HTTP Request to a *.galipan .org Domain (info.rules)
  • 2041816 - ET INFO DYNAMIC_DNS Query to a *.herbalhealthyh20 .com Domain (info.rules)
  • 2041817 - ET INFO DYNAMIC_DNS HTTP Request to a *.herbalhealthyh20 .com Domain (info.rules)
  • 2041818 - ET INFO DYNAMIC_DNS Query to a *.nunc .se Domain (info.rules)
  • 2041819 - ET INFO DYNAMIC_DNS HTTP Request to a *.nunc .se Domain (info.rules)
  • 2041820 - ET INFO DYNAMIC_DNS Query to a *.champagnewishesandrvdreams .com Domain (info.rules)
  • 2041821 - ET INFO DYNAMIC_DNS HTTP Request to a *.champagnewishesandrvdreams .com Domain (info.rules)
  • 2041822 - ET INFO DYNAMIC_DNS Query to a *.furryplace .eu Domain (info.rules)
  • 2041823 - ET INFO DYNAMIC_DNS HTTP Request to a *.furryplace .eu Domain (info.rules)
  • 2041824 - ET INFO DYNAMIC_DNS Query to a *.n43 .pw Domain (info.rules)
  • 2041825 - ET INFO DYNAMIC_DNS HTTP Request to a *.n43 .pw Domain (info.rules)
  • 2041826 - ET INFO DYNAMIC_DNS Query to a *.hmsolucoes .com Domain (info.rules)
  • 2041827 - ET INFO DYNAMIC_DNS HTTP Request to a *.hmsolucoes .com Domain (info.rules)
  • 2041828 - ET INFO DYNAMIC_DNS Query to a *.veriler .com Domain (info.rules)
  • 2041829 - ET INFO DYNAMIC_DNS HTTP Request to a *.veriler .com Domain (info.rules)
  • 2041830 - ET INFO DYNAMIC_DNS Query to a *.hackerzinc .com Domain (info.rules)
  • 2041831 - ET INFO DYNAMIC_DNS HTTP Request to a *.hackerzinc .com Domain (info.rules)
  • 2041832 - ET INFO DYNAMIC_DNS Query to a *.bizis .si Domain (info.rules)
  • 2041833 - ET INFO DYNAMIC_DNS HTTP Request to a *.bizis .si Domain (info.rules)
  • 2041834 - ET INFO DYNAMIC_DNS Query to a *.dleon .cl Domain (info.rules)
  • 2041835 - ET INFO DYNAMIC_DNS HTTP Request to a *.dleon .cl Domain (info.rules)
  • 2041836 - ET INFO DYNAMIC_DNS Query to a *.swds .com .au Domain (info.rules)
  • 2041837 - ET INFO DYNAMIC_DNS HTTP Request to a *.swds .com .au Domain (info.rules)
  • 2041838 - ET INFO DYNAMIC_DNS Query to a *.redsteedstudios .com Domain (info.rules)
  • 2041839 - ET INFO DYNAMIC_DNS HTTP Request to a *.redsteedstudios .com Domain (info.rules)
  • 2041840 - ET INFO DYNAMIC_DNS Query to a *.appswiss .ch Domain (info.rules)
  • 2041841 - ET INFO DYNAMIC_DNS HTTP Request to a *.appswiss .ch Domain (info.rules)
  • 2041842 - ET INFO DYNAMIC_DNS Query to a *.flink .cl Domain (info.rules)
  • 2041843 - ET INFO DYNAMIC_DNS HTTP Request to a *.flink .cl Domain (info.rules)
  • 2041844 - ET INFO DYNAMIC_DNS Query to a *.ubernerden .com Domain (info.rules)
  • 2041845 - ET INFO DYNAMIC_DNS HTTP Request to a *.ubernerden .com Domain (info.rules)
  • 2041846 - ET INFO DYNAMIC_DNS Query to a *.battlecore .ru Domain (info.rules)
  • 2041847 - ET INFO DYNAMIC_DNS HTTP Request to a *.battlecore .ru Domain (info.rules)
  • 2041848 - ET INFO DYNAMIC_DNS Query to a *.onapon .com Domain (info.rules)
  • 2041849 - ET INFO DYNAMIC_DNS HTTP Request to a *.onapon .com Domain (info.rules)
  • 2041850 - ET INFO DYNAMIC_DNS Query to a *.milk .is Domain (info.rules)
  • 2041851 - ET INFO DYNAMIC_DNS HTTP Request to a *.milk .is Domain (info.rules)
  • 2041852 - ET INFO DYNAMIC_DNS Query to a *.station .moe Domain (info.rules)
  • 2041853 - ET INFO DYNAMIC_DNS HTTP Request to a *.station .moe Domain (info.rules)
  • 2041854 - ET INFO DYNAMIC_DNS Query to a *.infe .com .br Domain (info.rules)
  • 2041855 - ET INFO DYNAMIC_DNS HTTP Request to a *.infe .com .br Domain (info.rules)
  • 2041856 - ET INFO DYNAMIC_DNS Query to a *.darriondemelo .com Domain (info.rules)
  • 2041857 - ET INFO DYNAMIC_DNS HTTP Request to a *.darriondemelo .com Domain (info.rules)
  • 2041858 - ET INFO DYNAMIC_DNS Query to a *.hansa-tmp .cn Domain (info.rules)
  • 2041859 - ET INFO DYNAMIC_DNS HTTP Request to a *.hansa-tmp .cn Domain (info.rules)
  • 2041860 - ET INFO DYNAMIC_DNS Query to a *.sovich .org Domain (info.rules)
  • 2041861 - ET INFO DYNAMIC_DNS HTTP Request to a *.sovich .org Domain (info.rules)
  • 2041862 - ET INFO DYNAMIC_DNS Query to a *.sibmed .org .ru Domain (info.rules)
  • 2041863 - ET INFO DYNAMIC_DNS HTTP Request to a *.sibmed .org .ru Domain (info.rules)
  • 2041864 - ET INFO DYNAMIC_DNS Query to a *.earlyriserscoffeeshop .com Domain (info.rules)
  • 2041865 - ET INFO DYNAMIC_DNS HTTP Request to a *.earlyriserscoffeeshop .com Domain (info.rules)
  • 2041866 - ET INFO DYNAMIC_DNS Query to a *.myjamesonline .net Domain (info.rules)
  • 2041867 - ET INFO DYNAMIC_DNS HTTP Request to a *.myjamesonline .net Domain (info.rules)
  • 2041868 - ET INFO DYNAMIC_DNS Query to a *.alimentoshen .cl Domain (info.rules)
  • 2041869 - ET INFO DYNAMIC_DNS HTTP Request to a *.alimentoshen .cl Domain (info.rules)
  • 2041870 - ET INFO DYNAMIC_DNS Query to a *.ecosys .eu Domain (info.rules)
  • 2041871 - ET INFO DYNAMIC_DNS HTTP Request to a *.ecosys .eu Domain (info.rules)
  • 2041872 - ET INFO DYNAMIC_DNS Query to a *.kidsqt .com Domain (info.rules)
  • 2041873 - ET INFO DYNAMIC_DNS HTTP Request to a *.kidsqt .com Domain (info.rules)
  • 2041874 - ET INFO DYNAMIC_DNS Query to a *.drupalpixels .com Domain (info.rules)
  • 2041875 - ET INFO DYNAMIC_DNS HTTP Request to a *.drupalpixels .com Domain (info.rules)
  • 2041876 - ET INFO DYNAMIC_DNS Query to a *.giantrobotfactory .com Domain (info.rules)
  • 2041877 - ET INFO DYNAMIC_DNS HTTP Request to a *.giantrobotfactory .com Domain (info.rules)
  • 2041878 - ET INFO DYNAMIC_DNS Query to a *.pbohara .com Domain (info.rules)
  • 2041879 - ET INFO DYNAMIC_DNS HTTP Request to a *.pbohara .com Domain (info.rules)
  • 2041880 - ET INFO DYNAMIC_DNS Query to a *.xinit .se Domain (info.rules)
  • 2041881 - ET INFO DYNAMIC_DNS HTTP Request to a *.xinit .se Domain (info.rules)
  • 2041882 - ET INFO DYNAMIC_DNS Query to a *.jmstudios .com Domain (info.rules)
  • 2041883 - ET INFO DYNAMIC_DNS HTTP Request to a *.jmstudios .com Domain (info.rules)
  • 2041884 - ET INFO DYNAMIC_DNS Query to a *.pwm .hu Domain (info.rules)
  • 2041885 - ET INFO DYNAMIC_DNS HTTP Request to a *.pwm .hu Domain (info.rules)
  • 2041886 - ET INFO DYNAMIC_DNS Query to a *.triviem .cl Domain (info.rules)
  • 2041887 - ET INFO DYNAMIC_DNS HTTP Request to a *.triviem .cl Domain (info.rules)
  • 2041888 - ET INFO DYNAMIC_DNS Query to a *.navnirwana .com Domain (info.rules)
  • 2041889 - ET INFO DYNAMIC_DNS HTTP Request to a *.navnirwana .com Domain (info.rules)
  • 2041890 - ET INFO DYNAMIC_DNS Query to a *.salford-hall .co .uk Domain (info.rules)
  • 2041891 - ET INFO DYNAMIC_DNS HTTP Request to a *.salford-hall .co .uk Domain (info.rules)
  • 2041892 - ET INFO DYNAMIC_DNS Query to a *.truewan .co .za Domain (info.rules)
  • 2041893 - ET INFO DYNAMIC_DNS HTTP Request to a *.truewan .co .za Domain (info.rules)
  • 2041894 - ET INFO DYNAMIC_DNS Query to a *.isyour .guru Domain (info.rules)
  • 2041895 - ET INFO DYNAMIC_DNS HTTP Request to a *.isyour .guru Domain (info.rules)
  • 2041896 - ET INFO DYNAMIC_DNS Query to a *.toadfishmonastery .org Domain (info.rules)
  • 2041897 - ET INFO DYNAMIC_DNS HTTP Request to a *.toadfishmonastery .org Domain (info.rules)
  • 2041898 - ET INFO DYNAMIC_DNS Query to a *.superizeme .com Domain (info.rules)
  • 2041899 - ET INFO DYNAMIC_DNS HTTP Request to a *.superizeme .com Domain (info.rules)
  • 2041900 - ET INFO DYNAMIC_DNS Query to a *.thetrist .com Domain (info.rules)
  • 2041901 - ET INFO DYNAMIC_DNS HTTP Request to a *.thetrist .com Domain (info.rules)
  • 2041902 - ET INFO DYNAMIC_DNS Query to a *.gracesiefer .com Domain (info.rules)
  • 2041903 - ET INFO DYNAMIC_DNS HTTP Request to a *.gracesiefer .com Domain (info.rules)
  • 2041904 - ET INFO DYNAMIC_DNS Query to a *.siasolution .com Domain (info.rules)
  • 2041905 - ET INFO DYNAMIC_DNS HTTP Request to a *.siasolution .com Domain (info.rules)
  • 2041906 - ET INFO DYNAMIC_DNS Query to a *.freetruthordare .com Domain (info.rules)
  • 2041907 - ET INFO DYNAMIC_DNS HTTP Request to a *.freetruthordare .com Domain (info.rules)
  • 2041908 - ET INFO DYNAMIC_DNS Query to a *.mchini .com Domain (info.rules)
  • 2041909 - ET INFO DYNAMIC_DNS HTTP Request to a *.mchini .com Domain (info.rules)
  • 2041910 - ET INFO DYNAMIC_DNS Query to a *.studiovk .com Domain (info.rules)
  • 2041911 - ET INFO DYNAMIC_DNS HTTP Request to a *.studiovk .com Domain (info.rules)
  • 2041912 - ET INFO DYNAMIC_DNS Query to a *.kreider .org Domain (info.rules)
  • 2041913 - ET INFO DYNAMIC_DNS HTTP Request to a *.kreider .org Domain (info.rules)
  • 2041914 - ET INFO DYNAMIC_DNS Query to a *.trumpetx .net Domain (info.rules)
  • 2041915 - ET INFO DYNAMIC_DNS HTTP Request to a *.trumpetx .net Domain (info.rules)
  • 2041916 - ET INFO DYNAMIC_DNS Query to a *.sococoffee .com Domain (info.rules)
  • 2041917 - ET INFO DYNAMIC_DNS HTTP Request to a *.sococoffee .com Domain (info.rules)
  • 2041918 - ET INFO DYNAMIC_DNS Query to a *.duta .biz Domain (info.rules)
  • 2041919 - ET INFO DYNAMIC_DNS HTTP Request to a *.duta .biz Domain (info.rules)
  • 2041920 - ET MALWARE GCleaner Downloader Activity M5 (malware.rules)
  • 2041921 - ET ADWARE_PUP Win32/Adware.Neoreklami.MI Activity M1 (adware_pup.rules)
  • 2041922 - ET ADWARE_PUP Win32/Adware.Neoreklami.MI Activity M2 (adware_pup.rules)
  • 2041923 - ET HUNTING Chrome/0 in User-Agent (hunting.rules)
  • 2041924 - ET MALWARE Observed DNS Query to Pirate Stealer Domain (mdvksublbpczqluqvvbytfprxdwakuke .nl) (malware.rules)
  • 2041925 - ET MALWARE Observed Pirate Stealer Domain in DNS Lookup (wearenotbbystealer .nl) (malware.rules)
  • 2041926 - ET PHISHING Successful Generic Credential Phish 2022-12-06 (phishing.rules)
  • 2041927 - ET PHISHING iCloud Credential Phish Landing Page 2022-12-06 (phishing.rules)
  • 2041928 - ET MALWARE Confucious APT CnC Checkin (malware.rules)
  • 2041929 - ET MALWARE Confucious APT CnC Domain (microsoftonedriver .com) in DNS Lookup (malware.rules)
  • 2041930 - ET INFO Observed DNS Query to (proxies .black) Web Proxy/Anonymizer Domain/Sub-Domain (info.rules)
  • 2041931 - ET EXPLOIT Redfish Exploitation Attempt (CVE-2022-40259) (exploit.rules)
  • 2041932 - ET EXPLOIT Redfish API User Enumeration Attempt (CVE-2022-2827) (exploit.rules)

Pro:

  • 2852924 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-12-06 1) (coinminer.rules)
  • 2852925 - ETPRO MALWARE GCleaner Downlaoder - Payload Response (malware.rules)
  • 2852926 - ETPRO MALWARE Win32/Remcos RAT Checkin 853 (malware.rules)
  • 2852927 - ETPRO MALWARE Win32/Remcos RAT Checkin 854 (malware.rules)
  • 2852928 - ETPRO PHISHING Successful Facebook Phish 2022-12-06 (phishing.rules)
  • 2852929 - ETPRO PHISHING Successful Twitter Credential Phish 2022-12-05 (phishing.rules)
  • 2852930 - ETPRO PHISHING Successful Twitter Password Reset Phish 2022-12-05 (phishing.rules)
  • 2852931 - ETPRO PHISHING Twitter Phish Landing Page 2022-12-05 (phishing.rules)

Modified active rules:

  • 2852896 - ETPRO MALWARE VBS/YAV.Minerva.zbqnj Payload Request M1 (malware.rules)
  • 2852897 - ETPRO MALWARE VBS/YAV.Minerva.zbqnj Payload Request M2 (malware.rules)
  • 2852921 - ETPRO MALWARE Win32/Script Downloader Activity (GET) (malware.rules)
  • 2852922 - ETPRO MALWARE Win32/Screenshotter Backdoor Sending Screenshot (POST) (malware.rules)

Removed rules:

  • 2033210 - ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464) (exploit.rules)