Ruleset Update Summary - 2023/02/06 - v10237

rulesbot · February 6, 2023, 9:55pm

Summary:

22 new OPEN, 23 new PRO (22 + 1)

Thanks @TeamT5_Official, @James_inthe_box, @crep1x, Kevin_Ross

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net/ We will announce the mailing list retirement date in the near future.

Added rules:

Open:

2044118 - ET EXPLOIT Possible ImageMagick (7.1.0-49) DOS PNG Upload Attempt (CVE-2022-44267) (exploit.rules)
2044119 - ET EXPLOIT Possible ImageMagick (7.1.0-49) DOS PNG Observed Inbound (CVE-2022-44267) (exploit.rules)
2044120 - ET EXPLOIT Possible ImageMagick (7.1.0-49) Arbitrary Remote Leak PNG Upload Attempt (CVE-2022-44268) (exploit.rules)
2044121 - ET HUNTING Terse Request for Zip File (GET) (hunting.rules)
2044122 - ET MALWARE Suspected NginxSpy Related Request (Inbound) (malware.rules)
2044123 - ET MALWARE NginxSpy Magic Bytes M2 (Inbound) (malware.rules)
2044124 - ET MALWARE NginxSpy Magic Bytes M1 (Outbound) (malware.rules)
2044127 - ET MALWARE Win32/Gamaredon CnC Activity (GET) (malware.rules)
2044128 - ET MALWARE Win32/Gamaredon CnC Activity (POST) (malware.rules)
2044129 - ET MALWARE Win32/Gamaredon CnC Activity (POST) (malware.rules)
2044130 - ET MALWARE Observed DNS Query to Gamaredon Domain (antargi .ru) (malware.rules)
2044131 - ET MALWARE Observed DNS Query to Gamaredon Domain (mohsengo .shop) (malware.rules)
2044132 - ET INFO Ex Libris Library Software DNS Lookup (info.rules)
2044133 - ET MALWARE Win32/RecordBreaker - Observed UA M6 (01785252112) (malware.rules)
2044134 - ET MALWARE Win32/RecordBreaker - Observed UA M7 (1235125521512) (malware.rules)
2044135 - ET MALWARE Win32/RecordBreaker - Observed UA M8 (125122112551) (malware.rules)
2044136 - ET INFO Possible SMTP Data Exfiltration - File Attachment Named Files.zip (info.rules)
2044137 - ET MALWARE Win32/DarkCloud Variant Exfil over SMTP (FirefoxCookies.json) (malware.rules)
2044138 - ET MALWARE Win32/Spy.Banker.AAGB Checkin (malware.rules)
2044139 - ET MALWARE Win32/Comrerop Checkin (malware.rules)
2044140 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .samples .muzikcitysound .com) (malware.rules)
2044141 - ET MALWARE SocGholish Domain in DNS Lookup (telemetry .usacyberpages .net) (malware.rules)

Pro:

2853333 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2023-02-02 1) (coinminer.rules)

Modified inactive rules:

2015712 - ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability (CVE-2012-4969) (web_client.rules)
2016822 - ET WEB_CLIENT Possible Internet Explorer Use After Free Inbound (CVE-2013-1347) (web_client.rules)
2017129 - ET WEB_CLIENT Potential Internet Explorer Use After Free (CVE-2013-3163) (web_client.rules)
2017130 - ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2 (web_client.rules)
2017131 - ET EXPLOIT Potential Internet Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1 (exploit.rules)
2802862 - ETPRO EXPLOIT HP Intelligent Management Center imcsyslogdm Use After Free (exploit.rules)
2803035 - ETPRO WEB_CLIENT Microsoft Internet Explorer VML vgx.dll Use After Free 1 (web_client.rules)
2803036 - ETPRO WEB_CLIENT Microsoft Internet Explorer VML vgx.dll Use After Free 2 (web_client.rules)
2803037 - ETPRO WEB_CLIENT Microsoft Internet Explorer VML vgx.dll Use After Free 3 (web_client.rules)
2803038 - ETPRO WEB_CLIENT Microsoft Internet Explorer VML vgx.dll Use After Free 4 (web_client.rules)
2803724 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Set TLS 1.0 (web_server.rules)
2803725 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt TLS 1.0 (web_server.rules)
2803726 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Unset TLS 1.0 (web_server.rules)
2803727 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Set SSL 3.0 (web_server.rules)
2803728 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt SSL 3.0 (web_server.rules)
2803729 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Unset SSL 3.0 (web_server.rules)
2805680 - ETPRO WEB_CLIENT Microsoft Internet Explorer CTreePos Use After Free (CVE-2012-1539) (web_client.rules)
2805717 - ETPRO WEB_CLIENT Microsoft Internet Explorer CTreeNode Use After Free (web_client.rules)
2806006 - ETPRO WEB_CLIENT Internet Explorer CMarkUP Use After Free (CVE-2013-0020) (web_client.rules)
2806020 - ETPRO WEB_CLIENT Internet Explorer CMarkUP Use After Free (CVE-2013-0030) (web_client.rules)
2806112 - ETPRO WEB_CLIENT Internet Explorer GetMarkUpPtr Use After free 1 (CVE-2013-0092) (web_client.rules)
2806113 - ETPRO WEB_CLIENT CVE-2013-0092 GetMarkUpPtr Use After free 2 (web_client.rules)
2806114 - ETPRO WEB_CLIENT Internet Explorer GetMarkUpPtr Use After free 3 (CVE-2013-0092 ) (web_client.rules)
2806115 - ETPRO WEB_CLIENT Microsoft Internet Explorer onBeforeCopy Use After Free (web_client.rules)
2806358 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer VML Use After Free 2 (CVE-2013-2551) (web_client.rules)
2806359 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer VML Use After Free 1 (CVE-2013-2551) (web_client.rules)
2806819 - ETPRO WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3188 1 (web_client.rules)
2806820 - ETPRO WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3188 2 (web_client.rules)
2807511 - ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 1 (web_client.rules)
2807642 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0271) (web_client.rules)
2807647 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 1 (web_client.rules)
2807648 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 2 (web_client.rules)
2807649 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 3 (web_client.rules)
2807654 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0283) (web_client.rules)
2807660 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer Use After free (CVE-2014-0289) (web_client.rules)
2807935 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1753) (web_client.rules)
2807936 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1755) (web_client.rules)
2808040 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1815) (web_client.rules)
2808041 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1815) (web_client.rules)
2808151 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1800) (web_client.rules)
2809746 - ETPRO WEB_CLIENT Internet Explorer CTreePos Use After Free (CVE-2015-0068) 1 (web_client.rules)
2814830 - ETPRO WEB_CLIENT IE Use After Free CEditEventSink (CVE-2015-6071) (web_client.rules)

Disabled and modified rules:

2839423 - ETPRO EXPLOIT_KIT PurpleFox EK Framework Certificate Observed (exploit_kit.rules)

Topic		Replies	Views
Ruleset Update Summary - 2023/03/27 - v10278 Ruleset Updates	0	398	March 27, 2023
Ruleset Update Summary - 2023/01/27 - v10231 Ruleset Updates	0	288	January 27, 2023
Ruleset Update Summary - 2023/04/04 - v10284 Ruleset Updates	0	240	April 4, 2023
Ruleset Update Summary - 2023/03/06 - v10259 Ruleset Updates	1	212	March 6, 2023
Ruleset Update Summary - 2023/02/15 - v10244 Ruleset Updates	0	168	February 15, 2023