Summary:
10 new OPEN, 72 new PRO (10 + 62)
Thanks @symantec, @AzakaSekai_, @StopMalvertisin, @cyb3rops, @suyog41
The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net
We will announce the mailing list retirement date in the near future.
Added rules:
Open:
- 2044308 - ET MALWARE Golang Aurora Stealer Activity (POST) (malware.rules)
- 2044309 - ET MALWARE Gurcu Stealer Sending Data to Telegram (POST) (malware.rules)
- 2044310 - ET MALWARE Observed Malicious Domain in DNS Lookup (wpsupdate .luckfafa .com) (malware.rules)
- 2044311 - ET MALWARE Win32/Plugx CnC Activity (CONNECT) (malware.rules)
- 2044312 - ET MALWARE Cobalt Strike CnC Domain (taoche .cn .wswebpic .com) in DNS Lookup (malware.rules)
- 2044313 - ET MALWARE Cobalt Strike CnC Domain (csc .zte .com .cn .wswebpic .com) in DNS Lookup (malware.rules)
- 2044314 - ET MALWARE Cobalt Strike CnC Domain (alidocs .dingtalk .com .wswebpic .com) in DNS Lookup (malware.rules)
- 2044315 - ET MALWARE Win32/Backdoor.Atharvan CnC Checkin (malware.rules)
- 2044316 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .decision .alshafipdk .com) (malware.rules)
- 2044317 - ET PHISHING Successful Royal Credit Union Credential Phish 2023-02-23 (phishing.rules)
Pro:
- 2853536 - ETPRO HUNTING Suspicious Empty Connection Header (hunting.rules)
- 2853537 - ETPRO HUNTING Suspicious Empty Keep-Alive Header (hunting.rules)
- 2853538 - ETPRO HUNTING Suspicious Empty Accept Header (hunting.rules)
- 2853539 - ETPRO HUNTING Suspicious Empty Accept-Language Header (hunting.rules)
- 2853540 - ETPRO HUNTING Suspicious Empty Expect Header (hunting.rules)
- 2853541 - ETPRO HUNTING Suspicious Empty Max-Forwards Header (hunting.rules)
- 2853542 - ETPRO HUNTING Suspicious Empty Content-Length Header (hunting.rules)
- 2853543 - ETPRO HUNTING Suspicious Empty Content-Type Header (hunting.rules)
- 2853544 - ETPRO HUNTING Suspicious Empty Content-Encoding Header (hunting.rules)
- 2853545 - ETPRO HUNTING Suspicious Empty Content-Language Header (hunting.rules)
- 2853546 - ETPRO HUNTING Suspicious Empty Content-Location Header (hunting.rules)
- 2853547 - ETPRO HUNTING Suspicious Empty Host Header (hunting.rules)
- 2853548 - ETPRO HUNTING Suspicious Empty Referer Header (hunting.rules)
- 2853549 - ETPRO HUNTING Suspicious Empty Fowarded Header (hunting.rules)
- 2853550 - ETPRO HUNTING Suspicious Empty X-Forwarded-For Header (hunting.rules)
- 2853551 - ETPRO HUNTING Suspicious Empty X-Forwarded-Host Header (hunting.rules)
- 2853552 - ETPRO HUNTING Suspicious Empty X-Forwarded-Proto Header (hunting.rules)
- 2853553 - ETPRO HUNTING Suspicious Empty Via Header (hunting.rules)
- 2853554 - ETPRO HUNTING Suspicious Empty Authorization Header (hunting.rules)
- 2853555 - ETPRO HUNTING Suspicious Empty Proxy-Authenticate Header (hunting.rules)
- 2853556 - ETPRO HUNTING Suspicious Empty Proxy-Authorization Header (hunting.rules)
- 2853557 - ETPRO HUNTING Suspicious Empty WWW-Authenticate Header (hunting.rules)
- 2853558 - ETPRO HUNTING Suspicious Empty Age Header (hunting.rules)
- 2853559 - ETPRO HUNTING Suspicious Empty Cache-Control Header (hunting.rules)
- 2853560 - ETPRO HUNTING Suspicious Empty Clear-Site-Data Header (hunting.rules)
- 2853561 - ETPRO HUNTING Suspicious Empty Expires Header (hunting.rules)
- 2853562 - ETPRO HUNTING Suspicious Empty Pragma Header (hunting.rules)
- 2853563 - ETPRO HUNTING Suspicious Empty Warning Header (hunting.rules)
- 2853564 - ETPRO HUNTING Suspicious Empty Accept-CH Header (hunting.rules)
- 2853565 - ETPRO HUNTING Suspicious Empty Accept-CH-Lifetime Header (hunting.rules)
- 2853566 - ETPRO HUNTING Suspicious Empty Critical-CH Header (hunting.rules)
- 2853567 - ETPRO HUNTING Suspicious Empty Critical-CH Header (hunting.rules)
- 2853568 - ETPRO HUNTING Suspicious Empty Sec-CH-UA Header (hunting.rules)
- 2853569 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Arch Header (hunting.rules)
- 2853570 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Bitness Header (hunting.rules)
- 2853571 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Full-Version Header (hunting.rules)
- 2853572 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Full-Version-List Header (hunting.rules)
- 2853573 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Mobile Header (hunting.rules)
- 2853574 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Model Header (hunting.rules)
- 2853575 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Platform Header (hunting.rules)
- 2853576 - ETPRO HUNTING Suspicious Empty Sec-CH-UA-Platform-Version Header (hunting.rules)
- 2853577 - ETPRO HUNTING Suspicious Empty Content-DPR Header (hunting.rules)
- 2853578 - ETPRO HUNTING Suspicious Empty Device-Memory Header (hunting.rules)
- 2853579 - ETPRO HUNTING Suspicious Empty DPR Header (hunting.rules)
- 2853580 - ETPRO HUNTING Suspicious Empty Viewport-Width Header (hunting.rules)
- 2853581 - ETPRO HUNTING Suspicious Empty Width Header (hunting.rules)
- 2853582 - ETPRO HUNTING Suspicious Empty Downlink Header (hunting.rules)
- 2853583 - ETPRO HUNTING Suspicious Empty ECT Header (hunting.rules)
- 2853584 - ETPRO HUNTING Suspicious Empty RTT Header (hunting.rules)
- 2853585 - ETPRO HUNTING Suspicious Empty Save-Data Header (hunting.rules)
- 2853586 - ETPRO HUNTING Suspicious Empty Last-Modified Header (hunting.rules)
- 2853587 - ETPRO HUNTING Suspicious Empty ETag Header (hunting.rules)
- 2853588 - ETPRO HUNTING Suspicious Empty If-Match Header (hunting.rules)
- 2853589 - ETPRO HUNTING Suspicious Empty If-None-Match Header (hunting.rules)
- 2853590 - ETPRO HUNTING Suspicious Empty If-Modified-Since Header (hunting.rules)
- 2853591 - ETPRO HUNTING Suspicious Empty If-Unmodified-Since Header (hunting.rules)
- 2853592 - ETPRO HUNTING Suspicious Empty Vary Header (hunting.rules)
- 2853593 - ETPRO HUNTING Suspicious Empty Sec-WebSocket-Key Header (hunting.rules)
- 2853594 - ETPRO HUNTING Suspicious Empty Sec-WebSocket-Extensions Header (hunting.rules)
- 2853595 - ETPRO HUNTING Suspicious Empty Sec-WebSocket-Accept Header (hunting.rules)
- 2853596 - ETPRO HUNTING Suspicious Empty Sec-WebSocket-Protocol Header (hunting.rules)
- 2853597 - ETPRO HUNTING Suspicious Empty Sec-WebSocket-Version Header (hunting.rules)
Disabled and modified rules:
- 2034849 - ET MALWARE Cobalt Strike Activity (GET) (malware.rules)
- 2034875 - ET MALWARE Maldoc Retrieving Remote Template (GET) (malware.rules)
- 2034904 - ET MALWARE TellYouThePass Ransomware Checkin Activity (GET) (malware.rules)