Summary:
22 new OPEN, 23 new PRO (22 + 1)
Thanks @TeamT5_Official, @James_inthe_box, @crep1x, Kevin_Ross
The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net
We will announce the mailing list retirement date in the near future.
The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net/ We will announce the mailing list retirement date in the near future.
Added rules:
Open:
- 2044118 - ET EXPLOIT Possible ImageMagick (7.1.0-49) DOS PNG Upload Attempt (CVE-2022-44267) (exploit.rules)
- 2044119 - ET EXPLOIT Possible ImageMagick (7.1.0-49) DOS PNG Observed Inbound (CVE-2022-44267) (exploit.rules)
- 2044120 - ET EXPLOIT Possible ImageMagick (7.1.0-49) Arbitrary Remote Leak PNG Upload Attempt (CVE-2022-44268) (exploit.rules)
- 2044121 - ET HUNTING Terse Request for Zip File (GET) (hunting.rules)
- 2044122 - ET MALWARE Suspected NginxSpy Related Request (Inbound) (malware.rules)
- 2044123 - ET MALWARE NginxSpy Magic Bytes M2 (Inbound) (malware.rules)
- 2044124 - ET MALWARE NginxSpy Magic Bytes M1 (Outbound) (malware.rules)
- 2044127 - ET MALWARE Win32/Gamaredon CnC Activity (GET) (malware.rules)
- 2044128 - ET MALWARE Win32/Gamaredon CnC Activity (POST) (malware.rules)
- 2044129 - ET MALWARE Win32/Gamaredon CnC Activity (POST) (malware.rules)
- 2044130 - ET MALWARE Observed DNS Query to Gamaredon Domain (antargi .ru) (malware.rules)
- 2044131 - ET MALWARE Observed DNS Query to Gamaredon Domain (mohsengo .shop) (malware.rules)
- 2044132 - ET INFO Ex Libris Library Software DNS Lookup (info.rules)
- 2044133 - ET MALWARE Win32/RecordBreaker - Observed UA M6 (01785252112) (malware.rules)
- 2044134 - ET MALWARE Win32/RecordBreaker - Observed UA M7 (1235125521512) (malware.rules)
- 2044135 - ET MALWARE Win32/RecordBreaker - Observed UA M8 (125122112551) (malware.rules)
- 2044136 - ET INFO Possible SMTP Data Exfiltration - File Attachment Named Files.zip (info.rules)
- 2044137 - ET MALWARE Win32/DarkCloud Variant Exfil over SMTP (FirefoxCookies.json) (malware.rules)
- 2044138 - ET MALWARE Win32/Spy.Banker.AAGB Checkin (malware.rules)
- 2044139 - ET MALWARE Win32/Comrerop Checkin (malware.rules)
- 2044140 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .samples .muzikcitysound .com) (malware.rules)
- 2044141 - ET MALWARE SocGholish Domain in DNS Lookup (telemetry .usacyberpages .net) (malware.rules)
Pro:
- 2853333 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2023-02-02 1) (coinminer.rules)
Modified inactive rules:
- 2015712 - ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability (CVE-2012-4969) (web_client.rules)
- 2016822 - ET WEB_CLIENT Possible Internet Explorer Use After Free Inbound (CVE-2013-1347) (web_client.rules)
- 2017129 - ET WEB_CLIENT Potential Internet Explorer Use After Free (CVE-2013-3163) (web_client.rules)
- 2017130 - ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2 (web_client.rules)
- 2017131 - ET EXPLOIT Potential Internet Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1 (exploit.rules)
- 2802862 - ETPRO EXPLOIT HP Intelligent Management Center imcsyslogdm Use After Free (exploit.rules)
- 2803035 - ETPRO WEB_CLIENT Microsoft Internet Explorer VML vgx.dll Use After Free 1 (web_client.rules)
- 2803036 - ETPRO WEB_CLIENT Microsoft Internet Explorer VML vgx.dll Use After Free 2 (web_client.rules)
- 2803037 - ETPRO WEB_CLIENT Microsoft Internet Explorer VML vgx.dll Use After Free 3 (web_client.rules)
- 2803038 - ETPRO WEB_CLIENT Microsoft Internet Explorer VML vgx.dll Use After Free 4 (web_client.rules)
- 2803724 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Set TLS 1.0 (web_server.rules)
- 2803725 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt TLS 1.0 (web_server.rules)
- 2803726 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Unset TLS 1.0 (web_server.rules)
- 2803727 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Set SSL 3.0 (web_server.rules)
- 2803728 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 (web_server.rules)
- 2803729 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Unset SSL 3.0 (web_server.rules)
- 2805680 - ETPRO WEB_CLIENT Microsoft Internet Explorer CTreePos Use After Free (CVE-2012-1539) (web_client.rules)
- 2805717 - ETPRO WEB_CLIENT Microsoft Internet Explorer CTreeNode Use After Free (web_client.rules)
- 2806006 - ETPRO WEB_CLIENT Internet Explorer CMarkUP Use After Free (CVE-2013-0020) (web_client.rules)
- 2806020 - ETPRO WEB_CLIENT Internet Explorer CMarkUP Use After Free (CVE-2013-0030) (web_client.rules)
- 2806112 - ETPRO WEB_CLIENT Internet Explorer GetMarkUpPtr Use After free 1 (CVE-2013-0092) (web_client.rules)
- 2806113 - ETPRO WEB_CLIENT CVE-2013-0092 GetMarkUpPtr Use After free 2 (web_client.rules)
- 2806114 - ETPRO WEB_CLIENT Internet Explorer GetMarkUpPtr Use After free 3 (CVE-2013-0092 ) (web_client.rules)
- 2806115 - ETPRO WEB_CLIENT Microsoft Internet Explorer onBeforeCopy Use After Free (web_client.rules)
- 2806358 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer VML Use After Free 2 (CVE-2013-2551) (web_client.rules)
- 2806359 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer VML Use After Free 1 (CVE-2013-2551) (web_client.rules)
- 2806819 - ETPRO WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3188 1 (web_client.rules)
- 2806820 - ETPRO WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3188 2 (web_client.rules)
- 2807511 - ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 1 (web_client.rules)
- 2807642 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0271) (web_client.rules)
- 2807647 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 1 (web_client.rules)
- 2807648 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 2 (web_client.rules)
- 2807649 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 3 (web_client.rules)
- 2807654 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0283) (web_client.rules)
- 2807660 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer Use After free (CVE-2014-0289) (web_client.rules)
- 2807935 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1753) (web_client.rules)
- 2807936 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1755) (web_client.rules)
- 2808040 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1815) (web_client.rules)
- 2808041 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1815) (web_client.rules)
- 2808151 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1800) (web_client.rules)
- 2809746 - ETPRO WEB_CLIENT Internet Explorer CTreePos Use After Free (CVE-2015-0068) 1 (web_client.rules)
- 2814830 - ETPRO WEB_CLIENT IE Use After Free CEditEventSink (CVE-2015-6071) (web_client.rules)
Disabled and modified rules:
- 2839423 - ETPRO EXPLOIT_KIT PurpleFox EK Framework Certificate Observed (exploit_kit.rules)