Ruleset Update Summary - 2022/12/15 - v10197

Summary:

62 new OPEN, 67 new PRO (62 + 5)

Thanks @Phylum_IO, @Fortinet, @NCSCgov

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

• 2042894 - ET INFO DYNAMIC_DNS Query to a *.2mydns .net Domain (info.rules)
• 2042895 - ET INFO DYNAMIC_DNS HTTP Request to a *.2mydns .net Domain (info.rules)
• 2042896 - ET INFO DYNAMIC_DNS Query to a *.dtdns .org Domain (info.rules)
• 2042897 - ET INFO DYNAMIC_DNS HTTP Request to a *.dtdns .org Domain (info.rules)
• 2042898 - ET INFO DYNAMIC_DNS Query to a *.myddns .biz Domain (info.rules)
• 2042899 - ET INFO DYNAMIC_DNS HTTP Request to a *.myddns .biz Domain (info.rules)
• 2042900 - ET INFO DYNAMIC_DNS Query to a *.wifizone .org Domain (info.rules)
• 2042901 - ET INFO DYNAMIC_DNS HTTP Request to a *.wifizone .org Domain (info.rules)
• 2042902 - ET INFO DYNAMIC_DNS Query to a *.32-b .it Domain (info.rules)
• 2042903 - ET INFO DYNAMIC_DNS HTTP Request to a *.32-b .it Domain (info.rules)
• 2042904 - ET INFO DYNAMIC_DNS Query to a *.ntdll .top Domain (info.rules)
• 2042905 - ET INFO DYNAMIC_DNS HTTP Request to a *.ntdll .top Domain (info.rules)
• 2042906 - ET INFO DYNAMIC_DNS Query to a *.soundcast .me Domain (info.rules)
• 2042907 - ET INFO DYNAMIC_DNS HTTP Request to a *.soundcast .me Domain (info.rules)
• 2042908 - ET INFO DYNAMIC_DNS Query to a *.tcp4 .me Domain (info.rules)
• 2042909 - ET INFO DYNAMIC_DNS HTTP Request to a *.tcp4 .me Domain (info.rules)
• 2042910 - ET INFO DYNAMIC_DNS Query to a *.forumz .info Domain (info.rules)
• 2042911 - ET INFO DYNAMIC_DNS HTTP Request to a *.forumz .info Domain (info.rules)
• 2042912 - ET INFO DYNAMIC_DNS Query to a *.freeddns .us Domain (info.rules)
• 2042913 - ET INFO DYNAMIC_DNS HTTP Request to a *.freeddns .us Domain (info.rules)
• 2042914 - ET INFO DYNAMIC_DNS Query to a *.dnsdyn .net Domain (info.rules)
• 2042915 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsdyn .net Domain (info.rules)
• 2042916 - ET INFO DYNAMIC_DNS Query to a *.64-b .it Domain (info.rules)
• 2042917 - ET INFO DYNAMIC_DNS HTTP Request to a *.64-b .it Domain (info.rules)
• 2042918 - ET INFO DYNAMIC_DNS Query to a *.now-dns .net Domain (info.rules)
• 2042919 - ET INFO DYNAMIC_DNS HTTP Request to a *.now-dns .net Domain (info.rules)
• 2042920 - ET INFO DYNAMIC_DNS Query to a *.nowddns .com Domain (info.rules)
• 2042921 - ET INFO DYNAMIC_DNS HTTP Request to a *.nowddns .com Domain (info.rules)
• 2042922 - ET INFO DYNAMIC_DNS Query to a *.ddns .cam Domain (info.rules)
• 2042923 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .cam Domain (info.rules)
• 2042924 - ET INFO DYNAMIC_DNS Query to a *.ddnslive .com Domain (info.rules)
• 2042925 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddnslive .com Domain (info.rules)
• 2042926 - ET INFO DYNAMIC_DNS Query to a *.clickip .de Domain (info.rules)
• 2042927 - ET INFO DYNAMIC_DNS HTTP Request to a *.clickip .de Domain (info.rules)
• 2042928 - ET INFO DYNAMIC_DNS Query to a *.n4t .co Domain (info.rules)
• 2042929 - ET INFO DYNAMIC_DNS HTTP Request to a *.n4t .co Domain (info.rules)
• 2042930 - ET INFO DYNAMIC_DNS Query to a *.cloudns .net Domain (info.rules)
• 2042931 - ET INFO DYNAMIC_DNS HTTP Request to a *.cloudns .net Domain (info.rules)
• 2042932 - ET INFO DYNAMIC_DNS Query to a *.dynu .com Domain (info.rules)
• 2042933 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynu .com Domain (info.rules)
• 2042934 - ET INFO DYNAMIC_DNS Query to a *.crafting .xyz Domain (info.rules)
• 2042935 - ET INFO DYNAMIC_DNS HTTP Request to a *.crafting .xyz Domain (info.rules)
• 2042936 - ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain (info.rules)
• 2042937 - ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain (info.rules)
• 2042938 - ET INFO DYNAMIC_DNS Query to a *.now-dns .top Domain (info.rules)
• 2042939 - ET INFO DYNAMIC_DNS HTTP Request to a *.now-dns .top Domain (info.rules)
• 2042940 - ET INFO DYNAMIC_DNS Query to a *.dnsapi .info Domain (info.rules)
• 2042941 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsapi .info Domain (info.rules)
• 2042942 - ET MALWARE RedditC2 Related Activity M2 (POST) (malware.rules)
• 2042943 - ET MALWARE Suspected Golang/Zerobot Websocket Activity (GET) (malware.rules)
• 2042944 - ET INFO Suspicious File Extension Inbound (.phonk) (info.rules)
• 2042945 - ET MALWARE Phonk Trojan CnC Checkin (POST) (malware.rules)
• 2042946 - ET MALWARE Win32/Goofy Guineapig CnC Activity (GET) M2 (malware.rules)
• 2042947 - ET MALWARE Win32/Goofy Guineapig CnC Activity (GET) M1 (malware.rules)
• 2042948 - ET MALWARE Observed DNS Query to Goofy Guineapig Domain (static .tcplog .com) (malware.rules)
• 2042949 - ET MALWARE CIA Ransomware Domain (cia .cookie-coin .xyz) in DNS Lookup (malware.rules)
• 2042950 - ET MALWARE CIA Ransomware - wallpaper/readme retrieval attempt (malware.rules)
• 2042951 - ET MALWARE GoLinux/GoTrim CnC Checkin (malware.rules)
• 2042952 - ET PHISHING Successful Made in China Credential Phish 2022-12-14 (phishing.rules)
• 2042953 - ET MALWARE SocGholish Domain in DNS Lookup (fittingroom .gibbsjewelry .com) (malware.rules)
• 2042954 - ET MALWARE SocGholish Domain in DNS Lookup (deposit .coveprice .com) (malware.rules)
• 2042955 - ET MALWARE SocGholish Domain in DNS Lookup (brooklands .harteverything .com) (malware.rules)

Pro:

• 2845553 - ETPRO PHISHING Suspected GoPhish Phishing Landing M1 (phishing.rules)
• 2852950 - ETPRO PHISHING Suspected GoPhish Phishing Landing M2 (phishing.rules)
• 2852953 - ETPRO MALWARE QBot Style Payload Request (malware.rules)
• 2852954 - ETPRO MALWARE Observed Sliver Domain in TLS SNI (malware.rules)
• 2852955 - ETPRO MALWARE Observed DNS Query to Sliver Domain (malware.rules)

Modified active rules:

• 2039470 - ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Inbound) (exploit.rules)

Disabled and modified rules:

• 2028380 - ET JA3 Hash - Possible Malware - Neutrino (ja3.rules)