Ruleset Update Summary - 2023/01/19 - v10224

Summary:

36 new OPEN, 48 new PRO (36 + 12)

Thanks @ahnlab, @TrendMicro, @unit42_intel

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.


Added rules:

Open:

  • 2043335 - ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M1 (CVE-2022-47966) (exploit.rules)
  • 2043336 - ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M2 (CVE-2022-47966) (exploit.rules)
  • 2043337 - ET INFO Request for EXE via Powershell (info.rules)
  • 2043338 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (dns2 .dns-ga .de) (info.rules)
  • 2043339 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (nebula .sly .io) (info.rules)
  • 2043340 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (dns .rotunneling .net) (info.rules)
  • 2043341 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (secure .avastdns .com) (info.rules)
  • 2043342 - ET INFO Observed DNS Over HTTPS Domain in TLS SNI (lindung .pp .ua) (info.rules)
  • 2043343 - ET INFO RustDesk Domain in DNS Lookup (info.rules)
  • 2043344 - ET MALWARE BatLoader CnC Domain (grammarlycheck2 .com) in DNS Lookup (malware.rules)
  • 2043345 - ET MALWARE BatLoader CnC Domain (updatea1 .com) in DNS Lookup (malware.rules)
  • 2043346 - ET MALWARE BatLoader CnC Domain (updateclientssoftware .com) in DNS Lookup (malware.rules)
  • 2043347 - ET MALWARE BatLoader CnC Domain (t1pixel .com) in DNS Lookup (malware.rules)
  • 2043348 - ET MALWARE BatLoader CnC Domain (24xpixeladvertising .com) in DNS Lookup (malware.rules)
  • 2043349 - ET MALWARE BatLoader CnC Domain (clodtechnology .com) in DNS Lookup (malware.rules)
  • 2043350 - ET MALWARE BatLoader CnC Domain (updatecloudservice1 .com) in DNS Lookup (malware.rules)
  • 2043351 - ET MALWARE BatLoader CnC Domain (externalchecksso .com) in DNS Lookup (malware.rules)
  • 2043352 - ET MALWARE BatLoader CnC Domain (cloudupdatesss .com) in DNS Lookup (malware.rules)
  • 2043353 - ET MALWARE Observed BatLoader Domain (grammarlycheck2 .com) in TLS SNI (malware.rules)
  • 2043354 - ET MALWARE Observed BatLoader Domain (updatea1 .com) in TLS SNI (malware.rules)
  • 2043355 - ET MALWARE Observed BatLoader Domain (updateclientssoftware .com) in TLS SNI (malware.rules)
  • 2043356 - ET MALWARE Observed BatLoader Domain (t1pixel .com) in TLS SNI (malware.rules)
  • 2043357 - ET MALWARE Observed BatLoader Domain (24xpixeladvertising .com) in TLS SNI (malware.rules)
  • 2043358 - ET MALWARE Observed BatLoader Domain (clodtechnology .com) in TLS SNI (malware.rules)
  • 2043359 - ET MALWARE Observed BatLoader Domain (updatecloudservice1 .com) in TLS SNI (malware.rules)
  • 2043360 - ET MALWARE Observed BatLoader Domain (externalchecksso .com) in TLS SNI (malware.rules)
  • 2043361 - ET MALWARE Observed BatLoader Domain (cloudupdatesss .com) in TLS SNI (malware.rules)
  • 2043362 - ET MALWARE Playful Taurus Malicious SSL Certificate Observed (malware.rules)
  • 2043363 - ET MALWARE Playful Taurus CnC Domain (vpnkerio .com) in DNS Lookup (malware.rules)
  • 2043364 - ET MALWARE Playful Taurus Observe malicious SSL Cert (self-signed www .netgate .com) (malware.rules)
  • 2043365 - ET MALWARE Playful Taurus CnC Domain (scm .oracleapps .org) in DNS Lookup (malware.rules)
  • 2043366 - ET MALWARE Playful Taurus CnC Domain (update .adboeonline .net) in DNS Lookup (malware.rules)
  • 2043367 - ET MALWARE Playful Taurus CnC Domain (mail .indiarailways .net) in DNS Lookup (malware.rules)
  • 2043368 - ET MALWARE Playful Taurus CnC Domain (update .delldrivers .in) in DNS Lookup (malware.rules)
  • 2043369 - ET MALWARE Kimsuky Related CnC (malware.rules)
  • 2043370 - ET MALWARE Kimsuky CnC Domain (lifehelper .kr) in DNS Lookup (malware.rules)

Pro:

  • 2853060 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly (Replace) M1 (hunting.rules)
  • 2853061 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly (Replace) M2 (hunting.rules)
  • 2853062 - ETPRO HUNTING Possible PowerShell Inbound - Casing Anomaly (StringChar) M1 (hunting.rules)
  • 2853063 - ETPRO HUNTING Possible PowerShell Inbound - Char Concat Obfuscation (hunting.rules)
  • 2853064 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2023-01-19 1) (coinminer.rules)
  • 2853066 - ETPRO MALWARE UltimateLoader Domain in DNS Lookup (malware.rules)
  • 2853067 - ETPRO MALWARE UltimateLoader Payload Response (malware.rules)
  • 2853068 - ETPRO MALWARE UltimateLoader Payload Response (malware.rules)
  • 2853069 - ETPRO MALWARE Win32/Remcos RAT Checkin 859 (malware.rules)
  • 2853070 - ETPRO MALWARE Win32/Remcos RAT Checkin 860 (malware.rules)
  • 2853071 - ETPRO MALWARE UltimateLoader Payload Request (malware.rules)
  • 2853072 - ETPRO MALWARE PS1Loader Exfil (malware.rules)

Modified active rules:

  • 2035087 - ET INFO Gophish X-Server (info.rules)
  • 2043308 - ET MALWARE Win32/Emotet CnC Activity M12 (POST) (malware.rules)
  • 2845553 - ETPRO PHISHING Suspected GoPhish Phishing Landing M1 (phishing.rules)
  • 2852950 - ETPRO PHISHING Suspected GoPhish Phishing Landing M2 (phishing.rules)

Disabled and modified rules:

  • 2018147 - ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322 (web_client.rules)
  • 2018308 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 2 (exploit.rules)
  • 2018309 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 3 (exploit.rules)
  • 2018310 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 4 (exploit.rules)
  • 2018311 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 5 (exploit.rules)
  • 2018312 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 6 (exploit.rules)
  • 2018314 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 1 (exploit.rules)
  • 2018559 - ET EXPLOIT SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195 (exploit.rules)
  • 2018561 - ET EXPLOIT SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195 (exploit.rules)
  • 2019181 - ET MOBILE_MALWARE Possible Android CVE-2014-6041 (mobile_malware.rules)
  • 2019418 - ET EXPLOIT SSL excessive fatal alerts (possible POODLE attack against server) (exploit.rules)
  • 2019420 - ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download (web_client.rules)
  • 2019897 - ET EXPLOIT Possible PYKEK Priv Esc in-use (exploit.rules)
  • 2020067 - ET EXPLOIT Possible CVE-2014-6332 Arrays with Offset Dec 23 (exploit.rules)
  • 2039427 - ET MALWARE SocGholish Domain in DNS Lookup (festival .robingaster .com) (malware.rules)
  • 2042953 - ET MALWARE SocGholish Domain in DNS Lookup (fittingroom .gibbsjewelry .com) (malware.rules)
  • 2042954 - ET MALWARE SocGholish Domain in DNS Lookup (deposit .coveprice .com) (malware.rules)
  • 2042955 - ET MALWARE SocGholish Domain in DNS Lookup (brooklands .harteverything .com) (malware.rules)
  • 2807512 - ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 2 (web_client.rules)
  • 2807640 - ETPRO WEB_CLIENT Microsoft XML Core Services 3.0 same-origin policy bypass (CVE-2014-0266) (web_client.rules)
  • 2807641 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0270) (web_client.rules)
  • 2807643 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0273) (web_client.rules)
  • 2807645 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0275) (web_client.rules)
  • 2807652 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0279) (web_client.rules)
  • 2807653 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0281) (web_client.rules)
  • 2807802 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0299) (web_client.rules)
  • 2809255 - ETPRO EXPLOIT SChannel Possible Heap Overflow CVE-2014-6321 SSLv3 (exploit.rules)
  • 2809256 - ETPRO EXPLOIT SChannel Possible Heap Overflow CVE-2014-6321 TLSv1.0 (exploit.rules)
  • 2809258 - ETPRO EXPLOIT SChannel Possible Heap Overflow CVE-2014-6321 TLSv1.2 (exploit.rules)
  • 2809299 - ETPRO WEB_CLIENT Internet Explorer Use After Free CVE-2014-6329 M1 (web_client.rules)
  • 2809300 - ETPRO WEB_CLIENT Internet Explorer Use After Free CVE-2014-6329 M2 (web_client.rules)
  • 2809301 - ETPRO WEB_CLIENT Internet Explorer Use After Free CVE-2014-6329 M3 (web_client.rules)
  • 2809302 - ETPRO WEB_CLIENT Possible Internet Explorerer Use After Free CVE-2014-6330 (web_client.rules)
  • 2809304 - ETPRO WEB_CLIENT Microsoft Rich Text File Use-After-Free cve-2014-6357 (web_client.rules)
  • 2809305 - ETPRO WEB_CLIENT Microsoft Excel corrupted OfficeArtBstoreContainer record download cve-2014-6360 (web_client.rules)
  • 2809306 - ETPRO WEB_CLIENT Microsoft Excel corrupted incorrect type assumed BiffRecord download cve-2014-6361 - SET (web_client.rules)
  • 2809307 - ETPRO WEB_CLIENT Microsoft Excel corrupted incorrect type assumed BiffRecord download cve-2014-6361 (web_client.rules)
  • 2809308 - ETPRO WEB_CLIENT VBScript Use-After-Free CVE-2014-6363 (web_client.rules)
  • 2809310 - ETPRO WEB_CLIENT Possible Internet Explorer Use After Free CVE-2014-6366 (web_client.rules)
  • 2809311 - ETPRO WEB_CLIENT Possible Internet Explorer Use After Free CVE-2014-6369 (web_client.rules)
  • 2809312 - ETPRO WEB_CLIENT IE Incorrect Object Type CVE-2014-6373 (web_client.rules)
  • 2809380 - ETPRO EXPLOIT Possible CVE-2014-6324 Priv escalation attempt (exploit.rules)

Removed rules:

  • 2018179 - ET EXPLOIT Obfuscation Technique Used in CVE-2014-0322 Attacks (exploit.rules)
  • 2019773 - ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 1 (Observed in Archie EK) (exploit_kit.rules)
  • 2019774 - ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 2 (Observed in Archie EK) (exploit_kit.rules)
  • 2019778 - ET EXPLOIT DLSw Information Disclosure CVE-2014-7992 (exploit.rules)
  • 2019792 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct URLENCODE (exploit.rules)
  • 2019793 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEX (exploit.rules)
  • 2019794 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXC (exploit.rules)
  • 2019795 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXCS (exploit.rules)
  • 2019796 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECC (exploit.rules)
  • 2019797 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECCS (exploit.rules)
  • 2019806 - ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct (Reversed) (exploit.rules)