Summary:
37 new OPEN, 40 new PRO (37 + 3)
Thanks @crep1x
The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net
We will announce the mailing list retirement date in the near future.
Added rules:
Open:
- 2044271 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
- 2044272 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
- 2044273 - ET INFO DYNAMIC_DNS Query to a *.nswrogaining .org Domain (info.rules)
- 2044274 - ET INFO DYNAMIC_DNS HTTP Request to a *.nswrogaining .org Domain (info.rules)
- 2044275 - ET INFO DYNAMIC_DNS Query to a *.datacomponents .com .mx Domain (info.rules)
- 2044276 - ET INFO DYNAMIC_DNS HTTP Request to a *.datacomponents .com .mx Domain (info.rules)
- 2044277 - ET INFO DYNAMIC_DNS Query to a *.portalwebvillamercedes .gob .ar Domain (info.rules)
- 2044278 - ET INFO DYNAMIC_DNS HTTP Request to a *.portalwebvillamercedes .gob .ar Domain (info.rules)
- 2044279 - ET INFO DYNAMIC_DNS Query to a *.comapatecoman .gob .mx Domain (info.rules)
- 2044280 - ET INFO DYNAMIC_DNS HTTP Request to a *.comapatecoman .gob .mx Domain (info.rules)
- 2044281 - ET INFO DYNAMIC_DNS Query to a *.potomacriversafetycommittee .org Domain (info.rules)
- 2044282 - ET INFO DYNAMIC_DNS HTTP Request to a *.potomacriversafetycommittee .org Domain (info.rules)
- 2044283 - ET INFO DYNAMIC_DNS Query to a *.nova-gns .com Domain (info.rules)
- 2044284 - ET INFO DYNAMIC_DNS HTTP Request to a *.nova-gns .com Domain (info.rules)
- 2044285 - ET INFO DYNAMIC_DNS Query to a *.sismonda .com Domain (info.rules)
- 2044286 - ET INFO DYNAMIC_DNS HTTP Request to a *.sismonda .com Domain (info.rules)
- 2044287 - ET INFO DYNAMIC_DNS Query to a *.vaultnoir .com Domain (info.rules)
- 2044288 - ET INFO DYNAMIC_DNS HTTP Request to a *.vaultnoir .com Domain (info.rules)
- 2044289 - ET PHISHING VigLink Redirect To Phishing Landing Page (phishing.rules)
- 2044290 - ET MALWARE Win32/Atlantida Stealer Sending System Information (POST) (malware.rules)
- 2044291 - ET MALWARE Win32/0xtaRAT CnC Activity (GET) M2 (malware.rules)
- 2044292 - ET PHISHING Generic Credential Phish Landing Page M1 2023-02-22 (phishing.rules)
- 2044293 - ET PHISHING Successful Generic Credential Phish M1 2023-02-22 (phishing.rules)
- 2044294 - ET PHISHING Generic Credential Phish Landing Page M2 2023-02-22 (phishing.rules)
- 2044295 - ET PHISHING Successful Generic Credential Phish M2 2023-02-22 (phishing.rules)
- 2044296 - ET PHISHING Successful Generic Credential Phish M1 2023-02-22 (phishing.rules)
- 2044297 - ET PHISHING Successful Generic Credential Phish M2 2023-02-22 (phishing.rules)
- 2044298 - ET PHISHING Successful Generic Credential Phish M3 2023-02-22 (phishing.rules)
- 2044299 - ET PHISHING Successful Generic Credential Phish M4 2023-02-22 (phishing.rules)
- 2044300 - ET INFO Clearbit Logo Query in DNS Lookup (info.rules)
- 2044301 - ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity (hunting.rules)
- 2044302 - ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity (hunting.rules)
- 2044303 - ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity (hunting.rules)
- 2044304 - ET HUNTING HTTP GET Request for msvcp40.dll - Possible Infostealer Activity (hunting.rules)
- 2044305 - ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity (hunting.rules)
- 2044306 - ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity (hunting.rules)
- 2044307 - ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity (hunting.rules)
Pro:
- 2853530 - ETPRO EXPLOIT Possible ClamAV XML XXE in Maliciously Crafted .dmg M1 (CVE-2023-20052) (exploit.rules)
- 2853531 - ETPRO EXPLOIT Possible ClamAV XML XXE in Maliciously Crafted .dmg M2 (CVE-2023-20052) (exploit.rules)
- 2853532 - ETPRO MALWARE XWorm CnC Domain in DNS Lookup (malware.rules)
Disabled and modified rules:
- 2853520 - ETPRO EXPLOIT Microsoft Protected Extensible Authentication Protocol RCE Attempt Inbound (CVE-2023-21690) (exploit.rules)