Summary:
15 new OPEN, 19 new PRO (15 + 4)
Thanks @TrendMicroRSRCH, @sekoia_io
The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net
We will announce the mailing list retirement date in the near future.
Added rules:
Open:
- 2044243 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in (malware.rules)
- 2044244 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 (malware.rules)
- 2044245 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config (malware.rules)
- 2044246 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 (malware.rules)
- 2044247 - ET MALWARE Win32/Stealc Active C2 Responding with plugins Config (malware.rules)
- 2044248 - ET MALWARE Win32/Stealc Submitting System Information to C2 (malware.rules)
- 2044249 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 (malware.rules)
- 2044250 - ET MALWARE Win32/WhiskerSpy - Machine ID Registration (malware.rules)
- 2044251 - ET MALWARE Win32/WhiskerSpy - Key Material Upload (malware.rules)
- 2044252 - ET MALWARE Win32/WhiskerSpy - Task Request (malware.rules)
- 2044253 - ET MALWARE Win32/WhiskerSpy CnC Activity (malware.rules)
- 2044254 - ET MALWARE Win32/WhiskerSpy - FTP - Observed Creds (malware.rules)
- 2044255 - ET MALWARE Win32/WhiskerSpy - FTP STOR Command M1 (malware.rules)
- 2044256 - ET MALWARE Win32/WhiskerSpy - FTP STOR Command M2 (malware.rules)
- 2044257 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .calendar .wishmarkets .com) (malware.rules)
Pro:
- 2853518 - ETPRO INFO Abnormally Large Remote TLS Certificate Drip Feed Inbound - Potential Exploit Activity (info.rules)
- 2853519 - ETPRO EXPLOIT Microsoft Protected Extensible Authentication Protocol RCE xbits set, noalert (CVE-2023-21690) (exploit.rules)
- 2853520 - ETPRO EXPLOIT Microsoft Protected Extensible Authentication Protocol RCE Attempt Inbound (CVE-2023-21690) (exploit.rules)
- 2853521 - ETPRO HUNTING POST to a 32 byte hex string name PHP file (hunting.rules)