Ruleset Update Summary - 2022/12/14 - v10196

Ruleset Updates
1

Summary:

119 new OPEN, 120 new PRO (119 + 1)

Thanks NoahWolf, @Slash30Miata, @Unit42_Intel

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

  • 2042775 - ET MALWARE Filez Downloader Checkin (malware.rules)
  • 2042776 - ET INFO DYNAMIC_DNS Query to a *.ndra .biz Domain (info.rules)
  • 2042777 - ET INFO DYNAMIC_DNS HTTP Request to a *.ndra .biz Domain (info.rules)
  • 2042778 - ET INFO DYNAMIC_DNS HTTP Request to a *.stufftoread .com Domain (info.rules)
  • 2042779 - ET INFO DYNAMIC_DNS HTTP Request to a *.hosthampster .com Domain (info.rules)
  • 2042780 - ET INFO DYNAMIC_DNS HTTP Request to a *.collegefan .org Domain (info.rules)
  • 2042781 - ET INFO DYNAMIC_DNS HTTP Request to a *.mysecuritycamera .org Domain (info.rules)
  • 2042782 - ET INFO DYNAMIC_DNS HTTP Request to a *.servesarcasm .com Domain (info.rules)
  • 2042783 - ET INFO DYNAMIC_DNS HTTP Request to a *.golffan .us Domain (info.rules)
  • 2042784 - ET INFO DYNAMIC_DNS HTTP Request to a *.viewdns .net Domain (info.rules)
  • 2042785 - ET INFO DYNAMIC_DNS HTTP Request to a *.mysecuritycamera .com Domain (info.rules)
  • 2042786 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveexchange .com Domain (info.rules)
  • 2042787 - ET INFO DYNAMIC_DNS HTTP Request to a *.nhlfan .net Domain (info.rules)
  • 2042788 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveminecraft .net Domain (info.rules)
  • 2042789 - ET INFO DYNAMIC_DNS HTTP Request to a *.onthewifi .com Domain (info.rules)
  • 2042790 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveftp .com Domain (info.rules)
  • 2042791 - ET INFO DYNAMIC_DNS HTTP Request to a *.myftp .org Domain (info.rules)
  • 2042792 - ET INFO DYNAMIC_DNS HTTP Request to a *.zapto .org Domain (info.rules)
  • 2042793 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .me Domain (info.rules)
  • 2042794 - ET INFO DYNAMIC_DNS HTTP Request to a *.mymediapc .net Domain (info.rules)
  • 2042795 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddnsking .com Domain (info.rules)
  • 2042796 - ET INFO DYNAMIC_DNS HTTP Request to a *.bounceme .net Domain (info.rules)
  • 2042797 - ET INFO DYNAMIC_DNS HTTP Request to a *.3utilities .com Domain (info.rules)
  • 2042798 - ET INFO DYNAMIC_DNS HTTP Request to a *.point2this .com Domain (info.rules)
  • 2042799 - ET INFO DYNAMIC_DNS HTTP Request to a *.servehttp .com Domain (info.rules)
  • 2042800 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsfor .me Domain (info.rules)
  • 2042801 - ET INFO DYNAMIC_DNS HTTP Request to a *.eating-organic .net Domain (info.rules)
  • 2042802 - ET INFO DYNAMIC_DNS HTTP Request to a *.unusualperson .com Domain (info.rules)
  • 2042803 - ET INFO DYNAMIC_DNS HTTP Request to a *.servehalflife .com Domain (info.rules)
  • 2042804 - ET INFO DYNAMIC_DNS HTTP Request to a *.loginto .me Domain (info.rules)
  • 2042805 - ET INFO DYNAMIC_DNS HTTP Request to a *.myftp .biz Domain (info.rules)
  • 2042806 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain (info.rules)
  • 2042807 - ET INFO DYNAMIC_DNS HTTP Request to a *.servepics .com Domain (info.rules)
  • 2042808 - ET INFO DYNAMIC_DNS HTTP Request to a *.mysecuritycamera .net Domain (info.rules)
  • 2042809 - ET INFO DYNAMIC_DNS HTTP Request to a *.geekgalaxy .com Domain (info.rules)
  • 2042810 - ET INFO DYNAMIC_DNS HTTP Request to a *.ilovecollege .info Domain (info.rules)
  • 2042811 - ET INFO DYNAMIC_DNS HTTP Request to a *.fantasyleague .cc Domain (info.rules)
  • 2042812 - ET INFO DYNAMIC_DNS HTTP Request to a *.homesecuritymac .com Domain (info.rules)
  • 2042813 - ET INFO DYNAMIC_DNS HTTP Request to a *.blogsyte .com Domain (info.rules)
  • 2042814 - ET INFO DYNAMIC_DNS HTTP Request to a *.nflfan .org Domain (info.rules)
  • 2042815 - ET INFO DYNAMIC_DNS HTTP Request to a *.webhop .me Domain (info.rules)
  • 2042816 - ET INFO DYNAMIC_DNS HTTP Request to a *.couchpotatofries .org Domain (info.rules)
  • 2042817 - ET INFO DYNAMIC_DNS HTTP Request to a *.servequake .com Domain (info.rules)
  • 2042818 - ET INFO DYNAMIC_DNS HTTP Request to a *.servep2p .com Domain (info.rules)
  • 2042819 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveirc .com Domain (info.rules)
  • 2042820 - ET INFO DYNAMIC_DNS HTTP Request to a *.servegame .com Domain (info.rules)
  • 2042821 - ET INFO DYNAMIC_DNS HTTP Request to a *.securitytactics .com Domain (info.rules)
  • 2042822 - ET INFO DYNAMIC_DNS HTTP Request to a *.redirectme .net Domain (info.rules)
  • 2042823 - ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain (info.rules)
  • 2042824 - ET INFO DYNAMIC_DNS Query to a *.line .pm Domain (info.rules)
  • 2042825 - ET INFO DYNAMIC_DNS HTTP Request to a *.line .pm Domain (info.rules)
  • 2042826 - ET INFO DYNAMIC_DNS Query to a *.work .gd Domain (info.rules)
  • 2042827 - ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain (info.rules)
  • 2042828 - ET INFO DYNAMIC_DNS HTTP Request to a *.linkpc .net Domain (info.rules)
  • 2042829 - ET INFO DYNAMIC_DNS Query to a *.run .place Domain (info.rules)
  • 2042830 - ET INFO DYNAMIC_DNS HTTP Request to a *.run .place Domain (info.rules)
  • 2042831 - ET INFO DYNAMIC_DNS Query to a *.dns .army Domain (info.rules)
  • 2042832 - ET INFO DYNAMIC_DNS HTTP Request to a *.dns .army Domain (info.rules)
  • 2042833 - ET INFO DYNAMIC_DNS Query to a *.v6 .army Domain (info.rules)
  • 2042834 - ET INFO DYNAMIC_DNS HTTP Request to a *.v6 .army Domain (info.rules)
  • 2042835 - ET INFO DYNAMIC_DNS Query to a *.v6 .navy Domain (info.rules)
  • 2042836 - ET INFO DYNAMIC_DNS HTTP Request to a *.v6 .navy Domain (info.rules)
  • 2042837 - ET INFO DYNAMIC_DNS Query to a *.dynv6 .net Domain (info.rules)
  • 2042838 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynv6 .net Domain (info.rules)
  • 2042839 - ET INFO DYNAMIC_DNS Query to a *.dns .navy Domain (info.rules)
  • 2042840 - ET INFO DYNAMIC_DNS HTTP Request to a *.dns .navy Domain (info.rules)
  • 2042841 - ET INFO DYNAMIC_DNS Query to a *.v6 .rocks Domain (info.rules)
  • 2042842 - ET INFO DYNAMIC_DNS HTTP Request to a *.v6 .rocks Domain (info.rules)
  • 2042843 - ET INFO DYNAMIC_DNS Query to a *.16-b .it Domain (info.rules)
  • 2042844 - ET INFO DYNAMIC_DNS HTTP Request to a *.16-b .it Domain (info.rules)
  • 2042845 - ET INFO DYNAMIC_DNS Query to a *.freeddns .uk Domain (info.rules)
  • 2042846 - ET INFO DYNAMIC_DNS HTTP Request to a *.freeddns .uk Domain (info.rules)
  • 2042847 - ET INFO DYNAMIC_DNS Query to a *.001www .com Domain (info.rules)
  • 2042848 - ET INFO DYNAMIC_DNS HTTP Request to a *.001www .com Domain (info.rules)
  • 2042849 - ET INFO DYNAMIC_DNS Query to a *.x443 .pw Domain (info.rules)
  • 2042850 - ET INFO DYNAMIC_DNS HTTP Request to a *.x443 .pw Domain (info.rules)
  • 2042851 - ET INFO DYNAMIC_DNS Query to a *.myiphost .com Domain (info.rules)
  • 2042852 - ET INFO DYNAMIC_DNS HTTP Request to a *.myiphost .com Domain (info.rules)
  • 2042853 - ET INFO DYNAMIC_DNS Query to a *.dnsup .net Domain (info.rules)
  • 2042854 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsup .net Domain (info.rules)
  • 2042855 - ET INFO DYNAMIC_DNS Query to a *.dnslive .net Domain (info.rules)
  • 2042856 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnslive .net Domain (info.rules)
  • 2042857 - ET INFO DYNAMIC_DNS Query to a *.vpndns .net Domain (info.rules)
  • 2042858 - ET INFO DYNAMIC_DNS HTTP Request to a *.vpndns .net Domain (info.rules)
  • 2042859 - ET INFO DYNAMIC_DNS Query to a *.dnsget .org Domain (info.rules)
  • 2042860 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsget .org Domain (info.rules)
  • 2042861 - ET INFO DYNAMIC_DNS Query to a *.dynip .org Domain (info.rules)
  • 2042862 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynip .org Domain (info.rules)
  • 2042863 - ET INFO DYNAMIC_DNS Query to a *.dynserv .org Domain (info.rules)
  • 2042864 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynserv .org Domain (info.rules)
  • 2042865 - ET INFO DYNAMIC_DNS Query to a *.hicam .net Domain (info.rules)
  • 2042866 - ET INFO DYNAMIC_DNS HTTP Request to a *.hicam .net Domain (info.rules)
  • 2042867 - ET INFO DYNAMIC_DNS Query to a *.mypi .co Domain (info.rules)
  • 2042868 - ET INFO DYNAMIC_DNS HTTP Request to a *.mypi .co Domain (info.rules)
  • 2042869 - ET INFO DYNAMIC_DNS Query to a *.dnsking .ch Domain (info.rules)
  • 2042870 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsking .ch Domain (info.rules)
  • 2042871 - ET INFO DYNAMIC_DNS Query to a *.now-dns .org Domain (info.rules)
  • 2042872 - ET INFO DYNAMIC_DNS HTTP Request to a *.now-dns .org Domain (info.rules)
  • 2042873 - ET INFO DYNAMIC_DNS Query to a *.ownip .net Domain (info.rules)
  • 2042874 - ET INFO DYNAMIC_DNS HTTP Request to a *.ownip .net Domain (info.rules)
  • 2042875 - ET INFO DYNAMIC_DNS Query to a *.tftpd .net Domain (info.rules)
  • 2042876 - ET INFO DYNAMIC_DNS HTTP Request to a *.tftpd .net Domain (info.rules)
  • 2042877 - ET INFO Observed SyncroMSP Remote Management Software Domain in DNS Lookup (kabutoservices .com) (info.rules)
  • 2042878 - ET INFO Observed SyncroMSP Remote Management Software Domain in DNS Lookup (repairshopr .com) (info.rules)
  • 2042879 - ET INFO Observed SyncroMSP Remote Management Software Domain (repairshopr .com in TLS SNI) (info.rules)
  • 2042880 - ET INFO Observed SyncroMSP Remote Management Software Domain (kabutoservices .com in TLS SNI) (info.rules)
  • 2042881 - ET INFO SyncroMSP Remote Remote Management Software Install Registration (info.rules)
  • 2042882 - ET INFO SyncroMSP Remote Remote Management Software Install Checkin (info.rules)
  • 2042883 - ET HUNTING RedditSharp UA in POST (POST) (hunting.rules)
  • 2042884 - ET MALWARE RedditC2 Related Activity (POST) (malware.rules)
  • 2042885 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
  • 2042886 - ET MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
  • 2042887 - ET MALWARE PS/PSRansom Client Checkin (GET) (malware.rules)
  • 2042888 - ET MALWARE PS/PSRansom Server Status Check (GET) (malware.rules)
  • 2042889 - ET INFO Online Code Editor Domain in DNS Lookup (trinket .io) (info.rules)
  • 2042890 - ET MALWARE Win32/Khaosz.A!MTB Checkin - Command Retrieval (malware.rules)
  • 2042891 - ET MALWARE Win32/Sality.NBA Exfil (malware.rules)
  • 2042892 - ET PHISHING Successful Australian Government myGov Credential Phish 2022-12-14 (phishing.rules)
  • 2042893 - ET PHISHING Successful America First CU Credential Phish 2022-12-14 (phishing.rules)

Pro:

  • 2852949 - ETPRO MALWARE Win32/Remcos RAT Checkin 855 (malware.rules)

Modified active rules:

  • 2852922 - ETPRO MALWARE Win32/Screenshotter Backdoor Sending Screenshot (POST) (malware.rules)

Removed rules:

  • 2845553 - ETPRO PHISHING Suspected GoPhish Phishing Landing M1 (phishing.rules)
  • 2851692 - ETPRO MALWARE Filez Downloader Checkin (malware.rules)