Ruleset Update Summary - 2023/02/23 - v10251

rulesbot · February 23, 2023, 10:14pm

Summary:

10 new OPEN, 72 new PRO (10 + 62)

Thanks @symantec, @AzakaSekai_, @StopMalvertisin, @cyb3rops, @suyog41

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.

Added rules:

Open:

2044308 - ET MALWARE Golang Aurora Stealer Activity (POST) (malware.rules)
2044309 - ET MALWARE Gurcu Stealer Sending Data to Telegram (POST) (malware.rules)
2044310 - ET MALWARE Observed Malicious Domain in DNS Lookup (wpsupdate .luckfafa .com) (malware.rules)
2044311 - ET MALWARE Win32/Plugx CnC Activity (CONNECT) (malware.rules)
2044312 - ET MALWARE Cobalt Strike CnC Domain (taoche .cn .wswebpic .com) in DNS Lookup (malware.rules)
2044313 - ET MALWARE Cobalt Strike CnC Domain (csc .zte .com .cn .wswebpic .com) in DNS Lookup (malware.rules)
2044314 - ET MALWARE Cobalt Strike CnC Domain (alidocs .dingtalk .com .wswebpic .com) in DNS Lookup (malware.rules)
2044315 - ET MALWARE Win32/Backdoor.Atharvan CnC Checkin (malware.rules)
2044316 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .decision .alshafipdk .com) (malware.rules)
2044317 - ET PHISHING Successful Royal Credit Union Credential Phish 2023-02-23 (phishing.rules)

Pro:

2853536 - ETPRO HUNTING Suspicious Empty Connection Header (hunting.rules)
2853537 - ETPRO HUNTING Suspicious Empty Keep-Alive Header (hunting.rules)
2853538 - ETPRO HUNTING Suspicious Empty Accept Header (hunting.rules)
2853539 - ETPRO HUNTING Suspicious Empty Accept-Language Header (hunting.rules)
2853540 - ETPRO HUNTING Suspicious Empty Expect Header (hunting.rules)
2853541 - ETPRO HUNTING Suspicious Empty Max-Forwards Header (hunting.rules)
2853542 - ETPRO HUNTING Suspicious Empty Content-Length Header (hunting.rules)
2853543 - ETPRO HUNTING Suspicious Empty Content-Type Header (hunting.rules)
2853544 - ETPRO HUNTING Suspicious Empty Content-Encoding Header (hunting.rules)
2853545 - ETPRO HUNTING Suspicious Empty Content-Language Header (hunting.rules)
2853546 - ETPRO HUNTING Suspicious Empty Content-Location Header (hunting.rules)
2853547 - ETPRO HUNTING Suspicious Empty Host Header (hunting.rules)
2853548 - ETPRO HUNTING Suspicious Empty Referer Header (hunting.rules)
2853549 - ETPRO HUNTING Suspicious Empty Fowarded Header (hunting.rules)
2853550 - ETPRO HUNTING Suspicious Empty X-Forwarded-For Header (hunting.rules)
2853551 - ETPRO HUNTING Suspicious Empty X-Forwarded-Host Header (hunting.rules)
2853552 - ETPRO HUNTING Suspicious Empty X-Forwarded-Proto Header (hunting.rules)
2853553 - ETPRO HUNTING Suspicious Empty Via Header (hunting.rules)
2853554 - ETPRO HUNTING Suspicious Empty Authorization Header (hunting.rules)
2853555 - ETPRO HUNTING Suspicious Empty Proxy-Authenticate Header (hunting.rules)
2853556 - ETPRO HUNTING Suspicious Empty Proxy-Authorization Header (hunting.rules)
2853557 - ETPRO HUNTING Suspicious Empty WWW-Authenticate Header (hunting.rules)
2853558 - ETPRO HUNTING Suspicious Empty Age Header (hunting.rules)
2853559 - ETPRO HUNTING Suspicious Empty Cache-Control Header (hunting.rules)
2853560 - ETPRO HUNTING Suspicious Empty Clear-Site-Data Header (hunting.rules)
2853561 - ETPRO HUNTING Suspicious Empty Expires Header (hunting.rules)
2853562 - ETPRO HUNTING Suspicious Empty Pragma Header (hunting.rules)
2853563 - ETPRO HUNTING Suspicious Empty Warning Header (hunting.rules)
2853564 - ETPRO HUNTING Suspicious Empty Accept-CH Header (hunting.rules)
2853565 - ETPRO HUNTING Suspicious Empty Accept-CH-Lifetime Header (hunting.rules)
2853566 - ETPRO HUNTING Suspicious Empty Critical-CH Header (hunting.rules)
2853567 - ETPRO HUNTING Suspicious Empty Critical-CH Header (hunting.rules)
2853568 - ETPRO HUNTING Suspicious Empty Sec-CH-UA Header (hunting.rules)
2853569 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Arch Header (hunting.rules)
2853570 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Bitness Header (hunting.rules)
2853571 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Full-Version Header (hunting.rules)
2853572 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Full-Version-List Header (hunting.rules)
2853573 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Mobile Header (hunting.rules)
2853574 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Model Header (hunting.rules)
2853575 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Platform Header (hunting.rules)
2853576 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Platform-Version Header (hunting.rules)
2853577 - ETPRO HUNTING Suspicious Empty Content-DPR Header (hunting.rules)
2853578 - ETPRO HUNTING Suspicious Empty Device-Memory Header (hunting.rules)
2853579 - ETPRO HUNTING Suspicious Empty DPR Header (hunting.rules)
2853580 - ETPRO HUNTING Suspicious Empty Viewport-Width Header (hunting.rules)
2853581 - ETPRO HUNTING Suspicious Empty Width Header (hunting.rules)
2853582 - ETPRO HUNTING Suspicious Empty Downlink Header (hunting.rules)
2853583 - ETPRO HUNTING Suspicious Empty ECT Header (hunting.rules)
2853584 - ETPRO HUNTING Suspicious Empty RTT Header (hunting.rules)
2853585 - ETPRO HUNTING Suspicious Empty Save-Data Header (hunting.rules)
2853586 - ETPRO HUNTING Suspicious Empty Last-Modified Header (hunting.rules)
2853587 - ETPRO HUNTING Suspicious Empty ETag Header (hunting.rules)
2853588 - ETPRO HUNTING Suspicious Empty If-Match Header (hunting.rules)
2853589 - ETPRO HUNTING Suspicious Empty If-None-Match Header (hunting.rules)
2853590 - ETPRO HUNTING Suspicious Empty If-Modified-Since Header (hunting.rules)
2853591 - ETPRO HUNTING Suspicious Empty If-Unmodified-Since Header (hunting.rules)
2853592 - ETPRO HUNTING Suspicious Empty Vary Header (hunting.rules)
2853593 - ETPRO HUNTING Suspicious Empty Sec-WebSocket-Key Header (hunting.rules)
2853594 - ETPRO HUNTING Suspicious Empty Sec-WebSocket-Extensions Header (hunting.rules)
2853595 - ETPRO HUNTING Suspicious Empty Sec-WebSocket-Accept Header (hunting.rules)
2853596 - ETPRO HUNTING Suspicious Empty Sec-WebSocket-Protocol Header (hunting.rules)
2853597 - ETPRO HUNTING Suspicious Empty Sec-WebSocket-Version Header (hunting.rules)

Disabled and modified rules:

2034849 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
2034875 - ET MALWARE Maldoc Retrieving Remote Template (GET) (malware.rules)
2034904 - ET MALWARE TellYouThePass Ransomware Checkin Activity (GET) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/01/12 - v10219 Ruleset Updates	160	January 12, 2023
Ruleset Update Summary - 2022/12/09 - v10192 Ruleset Updates	322	December 9, 2022
Ruleset Update Summary - 2022/11/17 - v10175 Ruleset Updates	342	November 17, 2022
Ruleset Update Summary - 2023/01/09 - v10215 Ruleset Updates	251	January 9, 2023
Ruleset Update Summary - 2023/02/10 - v10241 Ruleset Updates	186	February 10, 2023