Summary:
62 new OPEN, 67 new PRO (62 + 5)
Thanks @Phylum_IO, @Fortinet, @NCSCgov
The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net
We will announce the mailing list retirement date in the near future.
Added rules:
Open:
- 2042894 - ET INFO DYNAMIC_DNS Query to a *.2mydns .net Domain (info.rules)
- 2042895 - ET INFO DYNAMIC_DNS HTTP Request to a *.2mydns .net Domain (info.rules)
- 2042896 - ET INFO DYNAMIC_DNS Query to a *.dtdns .org Domain (info.rules)
- 2042897 - ET INFO DYNAMIC_DNS HTTP Request to a *.dtdns .org Domain (info.rules)
- 2042898 - ET INFO DYNAMIC_DNS Query to a *.myddns .biz Domain (info.rules)
- 2042899 - ET INFO DYNAMIC_DNS HTTP Request to a *.myddns .biz Domain (info.rules)
- 2042900 - ET INFO DYNAMIC_DNS Query to a *.wifizone .org Domain (info.rules)
- 2042901 - ET INFO DYNAMIC_DNS HTTP Request to a *.wifizone .org Domain (info.rules)
- 2042902 - ET INFO DYNAMIC_DNS Query to a *.32-b .it Domain (info.rules)
- 2042903 - ET INFO DYNAMIC_DNS HTTP Request to a *.32-b .it Domain (info.rules)
- 2042904 - ET INFO DYNAMIC_DNS Query to a *.ntdll .top Domain (info.rules)
- 2042905 - ET INFO DYNAMIC_DNS HTTP Request to a *.ntdll .top Domain (info.rules)
- 2042906 - ET INFO DYNAMIC_DNS Query to a *.soundcast .me Domain (info.rules)
- 2042907 - ET INFO DYNAMIC_DNS HTTP Request to a *.soundcast .me Domain (info.rules)
- 2042908 - ET INFO DYNAMIC_DNS Query to a *.tcp4 .me Domain (info.rules)
- 2042909 - ET INFO DYNAMIC_DNS HTTP Request to a *.tcp4 .me Domain (info.rules)
- 2042910 - ET INFO DYNAMIC_DNS Query to a *.forumz .info Domain (info.rules)
- 2042911 - ET INFO DYNAMIC_DNS HTTP Request to a *.forumz .info Domain (info.rules)
- 2042912 - ET INFO DYNAMIC_DNS Query to a *.freeddns .us Domain (info.rules)
- 2042913 - ET INFO DYNAMIC_DNS HTTP Request to a *.freeddns .us Domain (info.rules)
- 2042914 - ET INFO DYNAMIC_DNS Query to a *.dnsdyn .net Domain (info.rules)
- 2042915 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsdyn .net Domain (info.rules)
- 2042916 - ET INFO DYNAMIC_DNS Query to a *.64-b .it Domain (info.rules)
- 2042917 - ET INFO DYNAMIC_DNS HTTP Request to a *.64-b .it Domain (info.rules)
- 2042918 - ET INFO DYNAMIC_DNS Query to a *.now-dns .net Domain (info.rules)
- 2042919 - ET INFO DYNAMIC_DNS HTTP Request to a *.now-dns .net Domain (info.rules)
- 2042920 - ET INFO DYNAMIC_DNS Query to a *.nowddns .com Domain (info.rules)
- 2042921 - ET INFO DYNAMIC_DNS HTTP Request to a *.nowddns .com Domain (info.rules)
- 2042922 - ET INFO DYNAMIC_DNS Query to a *.ddns .cam Domain (info.rules)
- 2042923 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .cam Domain (info.rules)
- 2042924 - ET INFO DYNAMIC_DNS Query to a *.ddnslive .com Domain (info.rules)
- 2042925 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddnslive .com Domain (info.rules)
- 2042926 - ET INFO DYNAMIC_DNS Query to a *.clickip .de Domain (info.rules)
- 2042927 - ET INFO DYNAMIC_DNS HTTP Request to a *.clickip .de Domain (info.rules)
- 2042928 - ET INFO DYNAMIC_DNS Query to a *.n4t .co Domain (info.rules)
- 2042929 - ET INFO DYNAMIC_DNS HTTP Request to a *.n4t .co Domain (info.rules)
- 2042930 - ET INFO DYNAMIC_DNS Query to a *.cloudns .net Domain (info.rules)
- 2042931 - ET INFO DYNAMIC_DNS HTTP Request to a *.cloudns .net Domain (info.rules)
- 2042932 - ET INFO DYNAMIC_DNS Query to a *.dynu .com Domain (info.rules)
- 2042933 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynu .com Domain (info.rules)
- 2042934 - ET INFO DYNAMIC_DNS Query to a *.crafting .xyz Domain (info.rules)
- 2042935 - ET INFO DYNAMIC_DNS HTTP Request to a *.crafting .xyz Domain (info.rules)
- 2042936 - ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain (info.rules)
- 2042937 - ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain (info.rules)
- 2042938 - ET INFO DYNAMIC_DNS Query to a *.now-dns .top Domain (info.rules)
- 2042939 - ET INFO DYNAMIC_DNS HTTP Request to a *.now-dns .top Domain (info.rules)
- 2042940 - ET INFO DYNAMIC_DNS Query to a *.dnsapi .info Domain (info.rules)
- 2042941 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsapi .info Domain (info.rules)
- 2042942 - ET MALWARE RedditC2 Related Activity M2 (POST) (malware.rules)
- 2042943 - ET MALWARE Suspected Golang/Zerobot Websocket Activity (GET) (malware.rules)
- 2042944 - ET INFO Suspicious File Extension Inbound (.phonk) (info.rules)
- 2042945 - ET MALWARE Phonk Trojan CnC Checkin (POST) (malware.rules)
- 2042946 - ET MALWARE Win32/Goofy Guineapig CnC Activity (GET) M2 (malware.rules)
- 2042947 - ET MALWARE Win32/Goofy Guineapig CnC Activity (GET) M1 (malware.rules)
- 2042948 - ET MALWARE Observed DNS Query to Goofy Guineapig Domain (static .tcplog .com) (malware.rules)
- 2042949 - ET MALWARE CIA Ransomware Domain (cia .cookie-coin .xyz) in DNS Lookup (malware.rules)
- 2042950 - ET MALWARE CIA Ransomware - wallpaper/readme retrieval attempt (malware.rules)
- 2042951 - ET MALWARE GoLinux/GoTrim CnC Checkin (malware.rules)
- 2042952 - ET PHISHING Successful Made in China Credential Phish 2022-12-14 (phishing.rules)
- 2042953 - ET MALWARE SocGholish Domain in DNS Lookup (fittingroom .gibbsjewelry .com) (malware.rules)
- 2042954 - ET MALWARE SocGholish Domain in DNS Lookup (deposit .coveprice .com) (malware.rules)
- 2042955 - ET MALWARE SocGholish Domain in DNS Lookup (brooklands .harteverything .com) (malware.rules)
Pro:
- 2845553 - ETPRO PHISHING Suspected GoPhish Phishing Landing M1 (phishing.rules)
- 2852950 - ETPRO PHISHING Suspected GoPhish Phishing Landing M2 (phishing.rules)
- 2852953 - ETPRO MALWARE QBot Style Payload Request (malware.rules)
- 2852954 - ETPRO MALWARE Observed Sliver Domain in TLS SNI (malware.rules)
- 2852955 - ETPRO MALWARE Observed DNS Query to Sliver Domain (malware.rules)
Modified active rules:
- 2039470 - ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Inbound) (exploit.rules)
Disabled and modified rules:
- 2028380 - ET JA3 Hash - Possible Malware - Neutrino (ja3.rules)