Ruleset Update Summary - 2023/01/13 - v10220

Ruleset Updates
1

Summary:

8 new OPEN, 11 new PRO (8 + 3)

Thanks @executemalware, @RedDrip7

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

  • 2043296 - ET MALWARE OneNote Notebook Downloaded via Powershell (malware.rules)
  • 2043297 - ET MALWARE Observed DNS Query to Xworm Domain (su1d .nerdpol .ovh) (malware.rules)
  • 2043298 - ET MALWARE Win32/Gamaredon CnC Activity (malware.rules)
  • 2043299 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2043300 - ET MALWARE Cobalt Strike Domain in DNS Lookup (fepopeguc .com) (malware.rules)
  • 2043301 - ET MALWARE Cobalt Strike Domain (fepopeguc .com) in TLS SNI (malware.rules)
  • 2043302 - ET EXPLOIT CentOS Control Web Panel Pre-Auth Remote Code Execution (CVE-2022-44877) (exploit.rules)
  • 2043303 - ET MALWARE Win32/Spy.KeyLogger.RJA Checkin (malware.rules)

Pro:

  • 2853042 - ETPRO MALWARE Java/Adwind Variant CnC Activity (malware.rules)
  • 2853043 - ETPRO MALWARE Java/Adwind Variant Checkin (malware.rules)
  • 2853044 - ETPRO MALWARE Java/Adwind Variant CnC Activity (malware.rules)

Modified active rules:

  • 2043293 - ET MALWARE Magecart Loader Domain in DNS Lookup (2xdepp .com) (malware.rules)
  • 2043295 - ET MALWARE Magecart Skimmer Domain in DNS Lookup (elon2xmusk .com) (malware.rules)
  • 2853038 - ETPRO MALWARE Arkei/Vidar/Mars Stealer Variant User-Agent Observed (malware.rules)

Disabled and modified rules:

  • 2019732 - ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode (web_client.rules)
  • 2808986 - ETPRO WEB_CLIENT Possible malformed disk image transfer (CVE-2014-4115) (web_client.rules)
  • 2809230 - ETPRO EXPLOIT Hikvision DVR Buffer Overflow Exploit Attempt CVE-2014-4878 (exploit.rules)
  • 2809231 - ETPRO EXPLOIT Hikvision DVR Buffer Overflow Exploit Attempt CVE-2014-4879 (exploit.rules)
  • 2809232 - ETPRO EXPLOIT Hikvision DVR Buffer Overflow Exploit Attempt CVE-2014-4880 (exploit.rules)

Removed rules:

  • 2019734 - ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct (exploit.rules)
  • 2019735 - ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode (exploit.rules)