Ruleset Update Summary - 2022/12/23 - v10204

Ruleset Updates
1

Summary:

6 new OPEN, 8 new PRO (6 + 2)

Thanks @suyog41

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Note: There will be no release on 12/26 due to observence of holidays. For normalization purposes, we have changed the metadata tag affected_product for Exchange from “MS_Exchange” to read “Microsoft_Exchange”

Added rules:

Open:

  • 2043002 - ET EXPLOIT Microsoft Exchange Remote Code Execution Attempt - OWASSRF (CVE-2022-41040, CVE-2022-41082) (exploit.rules)
  • 2043003 - ET MALWARE Win32/RecordBreaker - Observed UA M5 (23591) (malware.rules)
  • 2043004 - ET MALWARE SocGholish Domain in DNS Lookup (perspective .abcbarbecue .xyz) (malware.rules)
  • 2043005 - ET MALWARE SocGholish Domain in DNS Lookup (exclusive .milonopensky .store) (malware.rules)
  • 2043006 - ET MALWARE SocGholish Domain in DNS Lookup (extcourse .zurvio .com) (malware.rules)
  • 2043007 - ET MALWARE SocGholish Domain in DNS Lookup (internship .ojul .com) (malware.rules)

Pro:

  • 2852980 - ETPRO MALWARE Win32/Fabookie.ek CnC Request M1 (GET) (malware.rules)
  • 2852981 - ETPRO MALWARE Win32/Fabookie.ek CnC Request M3 (GET) (malware.rules)

Modified active rules:

  • 2032897 - ET EXPLOIT Microsoft Exchange RCE Setup Inbound (CVE-2021-28482) (exploit.rules)
  • 2033681 - ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207) (exploit.rules)
  • 2033682 - ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M2 (CVE-2021-31207) (exploit.rules)
  • 2033683 - ET EXPLOIT Vulnerable Microsoft Exchange Server Response (CVE-2021-31207) (exploit.rules)
  • 2033684 - ET EXPLOIT Possible Microsoft Exchange RCE Inbound M1 (CVE-2021-34473) (exploit.rules)
  • 2033701 - ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M1 (CVE-2021-31207) (exploit.rules)
  • 2033711 - ET EXPLOIT Possible Microsoft Exchange RCE Inbound M2 (CVE-2021-34473) (exploit.rules)
  • 2033712 - ET EXPLOIT Possible Microsoft Exchange RCE with Python PSRP Client UA Inbound (CVE-2021-34473) (exploit.rules)
  • 2035648 - ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M2 (CVE-2021-31207) (exploit.rules)
  • 2035649 - ET EXPLOIT Possible Microsoft Exchange RCE Inbound M3 (CVE-2021-34473) (exploit.rules)
  • 2035650 - ET EXPLOIT Possible Microsoft Exchange Mailbox Enumeration Inbound (CVE-2021-34473) (exploit.rules)
  • 2039065 - ET EXPLOIT Microsoft Exchange Remote Code Execution Attempt (CVE-2022-41040, CVE-2022-41082) (exploit.rules)

Disabled and modified rules:

  • 2038949 - ET MALWARE SocGholish Domain in DNS Lookup (predator .foxscalesjewelry .com) (malware.rules)
  • 2039139 - ET MALWARE SocGholish Domain in DNS Lookup (ecar .allsunstates .com) (malware.rules)
  • 2039838 - ET MALWARE SocGholish Domain in DNS Lookup (hook .adieh .com) (malware.rules)