Ruleset Update Summary - 2023/03/09 - v10262

Ruleset Updates
1

Summary:

19 new OPEN, 20 new PRO (19 + 1)

Thanks @Cyber0verload, @500mk500, @suyog41

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

Added rules:

Open:

  • 2044537 - ET MALWARE Observed Emotet Maldoc Retrieving Payload (2023-03-07) M3 (malware.rules)
  • 2044538 - ET HUNTING robots Request (set) (hunting.rules)
  • 2044539 - ET HUNTING robots Request Returning Base64 (Inbound) (hunting.rules)
  • 2044540 - ET MALWARE SideCopy APT Related Backdoor Sending System Information (POST) (malware.rules)
  • 2044541 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh-lb-ca-tor .dnsflex .com) (info.rules)
  • 2044542 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh-lb-in .dnsflex .com) (info.rules)
  • 2044543 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh-lb-sg .dnsflex .com) (info.rules)
  • 2044544 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh-lb-de .dnsflex .com) (info.rules)
  • 2044545 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh-lb-atl .dnsflex .com) (info.rules)
  • 2044546 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh-lb-tr .dnsflex .com) (info.rules)
  • 2044547 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh-lb-gb .dnsflex .com) (info.rules)
  • 2044548 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh-lb-br .dnsflex .com) (info.rules)
  • 2044549 - ET MALWARE Observed DNS Query to Cinoshi Stealer Domain (anaida .evisyn .lol) (malware.rules)
  • 2044550 - ET MALWARE Win32/Cinoshi Stealer Wallet Request (GET) (malware.rules)
  • 2044551 - ET MALWARE Win32/Cinoshi Stealer Payload Request (GET) (malware.rules)
  • 2044552 - ET MALWARE Win32/I’m_Better Stealer CnC Checkin (malware.rules)
  • 2044553 - ET MALWARE Win32/Packed.BlackMoon.A Checkin (malware.rules)
  • 2044554 - ET MALWARE SocGholish NetSupport CnC Domain in DNS Lookup (itugbjhb .xyz) (malware.rules)
  • 2044555 - ET MALWARE SocGholish NetSupport Dropper Domain in DNS Lookup (gybvhxu .top) (malware.rules)

Pro:

  • 2853642 - ETPRO HUNTING Large RTF Font Table Observed - Possible Exploit Activity (CVE-2023-21716) (hunting.rules)

Disabled and modified rules:

  • 2013914 - ET POLICY APT User-Agent to BackTrack Repository (policy.rules)
  • 2033844 - ET INFO Suspicious Shellcode Request (info.rules)
  • 2034020 - ET MALWARE JS/Spy.Agent.AW Download (malware.rules)
  • 2034048 - ET MALWARE Win64/TrojanDownloader.Age Download Activity (GET) (malware.rules)
  • 2034083 - ET MALWARE Win32/Fake Anti-Pegasus AV CnC Exfil (malware.rules)
  • 2034199 - ET EXPLOIT Oracle BI Publisher Authentication Bypass (CVE-2019-2616) (exploit.rules)
  • 2034288 - ET MALWARE Win32/Sabsik Config Downloader (malware.rules)
  • 2034307 - ET MALWARE Fake Google Chrome Notifications Installer (malware.rules)
  • 2034338 - ET MALWARE Downloaded .bat Disables Windows Defender (malware.rules)
  • 2034339 - ET MALWARE Downloaded .bat Disables Real Time Monitoring (malware.rules)
  • 2034354 - ET EXPLOIT Vanguard v2.1 (Search) POST Inject Web Vulnerability (exploit.rules)
  • 2034359 - ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M1 (malware.rules)
  • 2034360 - ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M2 (malware.rules)
  • 2034395 - ET MALWARE Downloaded Script Disables Firewall/Antivirus (malware.rules)
  • 2034396 - ET MALWARE WBK Download from dotted-quad Host (malware.rules)
  • 2034410 - ET MALWARE LNK/Agent.GX CnC Traffic (malware.rules)
  • 2034437 - ET MALWARE Win32/Trojan.Nymeria CnC (malware.rules)
  • 2034442 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M1 (malware.rules)
  • 2034446 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M5 (malware.rules)
  • 2034449 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M8 (malware.rules)
  • 2034450 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M9 (malware.rules)
  • 2034451 - ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M10 (malware.rules)
  • 2034464 - ET MALWARE Possible MalDoc Retrieving Payload 2021-11-01 (malware.rules)
  • 2034479 - ET MALWARE ABCbot CnC Instruction (stop) (malware.rules)
  • 2034481 - ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Outbound (exploit.rules)
  • 2034482 - ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Inbound (exploit.rules)
  • 2034483 - ET MALWARE ABCbot CnC Exfil (malware.rules)
  • 2034484 - ET MALWARE ABCbot CnC Instruction (syn) (malware.rules)
  • 2034485 - ET MALWARE ABCbot CnC Instruction (dns) (malware.rules)
  • 2034486 - ET MALWARE ABCbot CnC Instruction (bigudp) (malware.rules)
  • 2034626 - ET EXPLOIT Exiftool RCE Inbound (CVE-2021-22204) (exploit.rules)
  • 2035064 - ET MALWARE Office Macro Emotet Download URI Nov 24 2021 (malware.rules)
  • 2044316 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .decision .alshafipdk .com) (malware.rules)
  • 2849956 - ETPRO MALWARE TeamTNT Chimaera Checkin (malware.rules)
  • 2850087 - ETPRO MALWARE Win32/VERTEX Stealer CnC Activity (GET) (malware.rules)
  • 2850115 - ETPRO MALWARE Trojan:Script/Wacatac Download (malware.rules)
  • 2850116 - ETPRO MALWARE Trojan:Script/Wacatac Download (malware.rules)
  • 2850292 - ETPRO MALWARE MSIL/TrojanDownloader.Age CnC Activity (malware.rules)
  • 2850551 - ETPRO MALWARE TeerDl CnC Exfil (malware.rules)
  • 2850558 - ETPRO MALWARE PowerShell/MSF Stager Inbound (malware.rules)
  • 2850598 - ETPRO MALWARE Ettersilent MalDoc C2 Beacon (malware.rules)
  • 2850613 - ETPRO MALWARE Win32/Lmbmiad CnC User-Agent (ve3xtest) (malware.rules)
  • 2850614 - ETPRO MALWARE Win32/Lmbmiad Downloader (.cmd) (malware.rules)
  • 2850615 - ETPRO MALWARE Win32/Lmbmiad Downloader (.dll) (malware.rules)
  • 2850616 - ETPRO MALWARE Win32/Lmbmiad CnC User-Agent (noandk) (malware.rules)
  • 2850617 - ETPRO MALWARE Win32/Lmbmiad Downloader (.ps1) (malware.rules)
  • 2850647 - ETPRO MALWARE Win32/Lmbmiad .ps1 Backdoor (malware.rules)