Ruleset Update Summary - 2023/02/16 - v10245

rulesbot · February 16, 2023, 10:40pm

Summary:

22 new OPEN, 23 new PRO (22 + 1)

Thanks @symantec, @James_inthe_box

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

2037960 - ET HUNTING Observed Suspicious SSL Cert (Acme Co) (hunting.rules)
2044212 - ET MALWARE Likely APT29 Retrieving Payload Embedded In PNG (malware.rules)
2044213 - ET MALWARE Likely APT29 Retrieving Payload Embedded In PNG 2 (malware.rules)
2044214 - ET MALWARE Likely APT29 Retrieving Payload Embedded In PNG 3 (malware.rules)
2044215 - ET MALWARE Possible APT29 Compressed Payload Download Request (malware.rules)
2044216 - ET MALWARE APT28 DealersChoice CnC Beacon Response (malware.rules)
2044217 - ET MALWARE APT28 Zebrocy/Zekapab POST Template Structure (malware.rules)
2044218 - ET MALWARE APT28 Zebrocy/Zekapab CnC Checkin (malware.rules)
2044219 - ET INFO DYNAMIC_DNS Query to a *.apocalypto .org .uk domain (info.rules)
2044220 - ET INFO DYNAMIC_DNS HTTP Request to a *.apocalypto .org .uk domain (info.rules)
2044221 - ET INFO DYNAMIC_DNS Query to a *.satelit .org domain (info.rules)
2044222 - ET INFO DYNAMIC_DNS HTTP Request to a *.satelit .org domain (info.rules)
2044223 - ET INFO DYNAMIC_DNS Query to a *.khabdha .org domain (info.rules)
2044224 - ET INFO DYNAMIC_DNS HTTP Request to a *.khabdha .org domain (info.rules)
2044225 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044226 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044227 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
2044228 - ET HUNTING Observed Meterpreter Style Request (GET) (hunting.rules)
2044229 - ET PHISHING myGov Credential Phish 2023-02-15 (phishing.rules)
2044230 - ET PHISHING Prohqcker Phish Kit (phishing.rules)
2044231 - ET MALWARE Win32/frebniis IIS Backdoor Trigger Attempt M1 (malware.rules)
2044232 - ET MALWARE Win32/frebniis IIS Backdoor Trigger Attempt M1 (malware.rules)

Pro:

2853506 - ETPRO EXPLOIT Possible Adobe Acrobat Reader Use-After-Free Attempt Inbound (CVE-2023-21608) (exploit.rules)

Disabled and modified rules:

2009702 - ET POLICY DNS Update From External net (policy.rules)
2034645 - ET MALWARE APT15/NICKEL Related CnC Activity (POST) (malware.rules)
2850279 - ETPRO MALWARE Observed Malicious SSL Cert (BazaLoader CnC) (malware.rules)
2850280 - ETPRO MALWARE Observed Malicious SSL Cert (BazaLoader CnC) (malware.rules)

Removed rules:

2028832 - ET JA3 Hash - Suspected Cobalt Strike Malleable C2 (ja3s) M1 (ja3.rules)
2037960 - ET MALWARE Observed Malicious SSL Cert (Acme Co) (malware.rules)
2821945 - ETPRO MALWARE Likely APT29 Retrieving Payload Embedded In PNG (malware.rules)
2822055 - ETPRO MALWARE Likely APT29 Retrieving Payload Embedded In PNG 2 (malware.rules)
2822622 - ETPRO MALWARE Likely APT29 Retrieving Payload Embedded In PNG 3 (malware.rules)
2823197 - ETPRO MALWARE Possible APT29 Compressed Payload Download Request (malware.rules)
2823642 - ETPRO MALWARE APT28 DealersChoice CnC Beacon Response (malware.rules)
2835618 - ETPRO MALWARE APT28 Zebrocy/Zekapab POST Template Structure (malware.rules)
2836072 - ETPRO MALWARE APT28 Zebrocy/Zekapab CnC Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/02/23 - v10251 Ruleset Updates	388	February 23, 2023
Ruleset Update Summary - 2023/01/05 - v10212 Ruleset Updates	304	January 5, 2023
Ruleset Update Summary - 2022/12/27 - v10205 Ruleset Updates	605	December 27, 2022
Ruleset Update Summary - 2023/01/04 - v10211 Ruleset Updates	257	January 4, 2023
Ruleset Update Summary - 2023/02/22 - v10250 Ruleset Updates	360	February 22, 2023