Ruleset Update Summary - 2023/03/14 - v10267

Ruleset Updates
1

Summary:

30 new OPEN, 73 new PRO (30 + 43)

Thanks @suyog41, @Mandiant, @travisbgreen, @ASEC_Analysis, @corelight_inc, @benreardon, @Gi7w0rm, @corelight_inc, @benreardon

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

Added rules:

Open:

  • 2044585 - ET EXPLOIT TP-Link Archer AX21 Unauthenticated Command Injection Inbound (CVE-2023-1389) (exploit.rules)
  • 2044586 - ET INFO DYNAMIC_DNS Query to a *.adoubleu .de Domain (info.rules)
  • 2044587 - ET INFO DYNAMIC_DNS HTTP Request to a *.adoubleu .de Domain (info.rules)
  • 2044588 - ET INFO DYNAMIC_DNS Query to a *.4twenty .us Domain (info.rules)
  • 2044589 - ET INFO DYNAMIC_DNS HTTP Request to a *.4twenty .us Domain (info.rules)
  • 2044590 - ET INFO playit .gg Tunneling Domain in DNS Lookup (info.rules)
  • 2044591 - ET INFO DYNAMIC_DNS Query to a *.aarogyamnepal .org .np Domain (info.rules)
  • 2044592 - ET INFO DYNAMIC_DNS HTTP Request to a *.aarogyamnepal .org .np Domain (info.rules)
  • 2044593 - ET INFO DYNAMIC_DNS Query to a *.adistra .com Domain (info.rules)
  • 2044594 - ET INFO DYNAMIC_DNS HTTP Request to a *.adistra .com Domain (info.rules)
  • 2044595 - ET MALWARE Win32/HMR RAT Sending System Information M3 (malware.rules)
  • 2044596 - ET MALWARE Win32/HMR RAT Sending System Information M4 (malware.rules)
  • 2044597 - ET MALWARE Amadey Bot Activity (POST) (malware.rules)
  • 2044598 - ET MALWARE Win32/Unknown Stealer CnC Exfil via Telegram M1 (malware.rules)
  • 2044599 - ET MALWARE Win32/Unknown Stealer CnC Exfil via Telegram M2 (malware.rules)
  • 2044600 - ET MALWARE SIDESHOW CnC Authentication Over HTTP (malware.rules)
  • 2044601 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (sede .lamarinadevalencia .com) (malware.rules)
  • 2044602 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (abba-servicios .mx) (malware.rules)
  • 2044603 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (doug .org) (malware.rules)
  • 2044604 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (fainstec .com) (malware.rules)
  • 2044605 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (webinternal .anyplex .com) (malware.rules)
  • 2044606 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (leadsblue .com) (malware.rules)
  • 2044607 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (ruscheltelefonia .com .br) (malware.rules)
  • 2044608 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (ajayjangid .in) (malware.rules)
  • 2044609 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (keewoom .co .kr) (malware.rules)
  • 2044610 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (olidhealth .com) (malware.rules)
  • 2044611 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (mantis .quick .net .pl) (malware.rules)
  • 2044612 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (toptradenews .com) (malware.rules)
  • 2044613 - ET MALWARE Observed DNS Query to LIGHTSHOW Domain (crickethighlights .today) (malware.rules)
  • 2044614 - ET MALWARE Observed DNS Query to Kimsuky Domain (mpevalr .ria .monster) (malware.rules)

Pro:

  • 2853646 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2853647 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853648 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853649 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2853650 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2853651 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2853652 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2853653 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2853654 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2853655 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2853656 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2853657 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2853658 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2853659 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2853660 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853661 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853662 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2853663 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2853664 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2853665 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2853666 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2853667 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2853668 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2853669 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2853670 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2853671 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2853672 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2853673 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853674 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2853675 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2853676 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2853677 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2853678 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2853679 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2853680 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2853681 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2853682 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2853683 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2853684 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2853685 - ETPRO MALWARE Win32/XWorm Checkin via Telegram (malware.rules)
  • 2853686 - ETPRO HUNTING Google Referer POST (hunting.rules)
  • 2853687 - ETPRO INFO Observed Phishing/Security Simulation Service Domain DNS Lookup (info.rules)
  • 2853688 - ETPRO INFO Observed Phishing/Security Simulation Service Domain in TLS SNI (info.rules)

Disabled and modified rules:

  • 2034683 - ET MALWARE Linux/Tsunami Downloader (malware.rules)
  • 2034684 - ET MALWARE Linux/Tsunami Remote Shell M1 (malware.rules)
  • 2034685 - ET MALWARE Linux/Tsunami Downloader (malware.rules)
  • 2034686 - ET MALWARE Linux/Tsunami Remote Shell M2 (malware.rules)
  • 2034739 - ET MALWARE DCRat CnC Activity M11 (malware.rules)
  • 2034740 - ET MALWARE DCRat CnC Activity M12 (malware.rules)
  • 2034741 - ET MALWARE DCRat CnC Activity M13 (malware.rules)
  • 2034838 - ET SCAN WordPress HelloThinkCMF Scan (scan.rules)
  • 2034914 - ET EXPLOIT Windows Defender POWERLIKS Detection Bypass (exploit.rules)
  • 2034961 - ET EXPLOIT GitLab Unauthenticated Remote ExifTool Command Injection (CVE-2021-24563) (exploit.rules)
  • 2034982 - ET MALWARE Win32/ClipBanker.OC CnC Activity M1 (malware.rules)
  • 2034983 - ET MALWARE Win32/ClipBanker.OC CnC Activity M2 (malware.rules)
  • 2035031 - ET MALWARE StrifeWater Rat CnC Activity (malware.rules)
  • 2035040 - ET MALWARE StrifeWater RAT CnC Activity M2 (malware.rules)
  • 2035098 - ET MALWARE Win32/Trojan.Agent.FSTT CnC Activity (malware.rules)
  • 2035099 - ET MALWARE Win32/Pteranodon CnC Exfil (POST) (malware.rules)
  • 2035207 - ET MALWARE MSIL/GenKryptik.FQRH Download Request (malware.rules)
  • 2035211 - ET MALWARE Win32/QuasarRAT CnC Traffic (malware.rules)
  • 2035400 - ET MALWARE JS/Skimmer Inbound (Likely MageCart) M2 (malware.rules)
  • 2035421 - ET MALWARE Win32/ArmyOfUkraine Bot Activity (malware.rules)
  • 2035459 - ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M1 (malware.rules)
  • 2035536 - ET MALWARE Backdoor/Win.Gh0stRAT CnC Exfil (malware.rules)
  • 2035565 - ET MALWARE ConPtyShell Client Response (malware.rules)
  • 2035566 - ET MALWARE ConPtyShell Server Command (whoami) (malware.rules)
  • 2035567 - ET MALWARE ConPtyShell Server Close Shell (malware.rules)
  • 2035605 - ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Command Fetch (malware.rules)
  • 2035606 - ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Domain Fetch (malware.rules)
  • 2035693 - ET MALWARE Win32/Killav.CM CnC Response (malware.rules)
  • 2035694 - ET MALWARE Win32/Killav.CM Checkin M2 (malware.rules)
  • 2035753 - ET MALWARE MSIL/Unk.CoinMiner Downloader (malware.rules)
  • 2035754 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader) (malware.rules)
  • 2035755 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader) (malware.rules)
  • 2035756 - ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader) (malware.rules)
  • 2035768 - ET HUNTING Kaspov Related Hex In HTTP Accept Header (hunting.rules)
  • 2035900 - ET MALWARE Win32/Farfli.CUY Downloader (malware.rules)
  • 2035918 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (showsvc .com) (malware.rules)
  • 2035919 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (wicommerece .com) (malware.rules)
  • 2035920 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (upservicemc .com) (malware.rules)
  • 2035921 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (netpixelds .com) (malware.rules)
  • 2035922 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (allmyad .com) (malware.rules)
  • 2035923 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (ananoka .com) (malware.rules)
  • 2035924 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (gvgnci .com) (malware.rules)
  • 2035925 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (msfbckupsc .com) (malware.rules)
  • 2035926 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (polanicia .com) (malware.rules)
  • 2035927 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (informaxima .org) (malware.rules)
  • 2035928 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (worldchangeos .com) (malware.rules)
  • 2035929 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (liongracem .com) (malware.rules)
  • 2035930 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (jmarrycs .com) (malware.rules)
  • 2035931 - ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (am-reader .com) (malware.rules)
  • 2036244 - ET MALWARE MSIL/Crimson Client Command Response (info) (malware.rules)
  • 2036268 - ET HUNTING Request To Suspicious Filename via Powershell (payload) (hunting.rules)
  • 2036281 - ET MALWARE Win64/CobaltStrike.Beacon.J CnC Checkin (malware.rules)
  • 2036282 - ET MALWARE Cobalt Strike X-Client Header (notevil) (malware.rules)
  • 2036291 - ET MALWARE Win32/Shuckworm CnC Exfil M1 (malware.rules)
  • 2036292 - ET MALWARE Win32/Shuckworm CnC Exfil M2 (malware.rules)
  • 2036293 - ET MALWARE Win32/Pterodo CnC VNC Connect Request (malware.rules)
  • 2036294 - ET MALWARE Win32/ChromeBack Extention Payload Fetch (malware.rules)
  • 2036295 - ET MALWARE Win32/ChromeBack CnC Checkin (malware.rules)
  • 2036296 - ET MALWARE Win32/ChromeBack Browser Hijacker Query Redirection (malware.rules)
  • 2036297 - ET MALWARE Win32/ChromeBack Browser Hijacker Sync (malware.rules)
  • 2036354 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (StatusTime) (malware.rules)
  • 2036355 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Comands) (malware.rules)
  • 2036356 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Checkupdate) (malware.rules)
  • 2036357 - ET MALWARE Win32/Agent.VAZ Bot CnC Checkin M1 (malware.rules)
  • 2036378 - ET EXPLOIT WSO2 Server RCE (CVE-2022-29464) (exploit.rules)
  • 2036392 - ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) Signed JWT Bypass (CVE-2022-21449) (exploit.rules)
  • 2036468 - ET MALWARE PoshC2 Downloader Activity (GET) (malware.rules)
  • 2036469 - ET INFO DYNAMIC_DNS HTTP Request to a *.4nmn .com Domain (info.rules)
  • 2036470 - ET INFO DYNAMIC_DNS Query to 4nmn .com Domain (info.rules)
  • 2036509 - ET MALWARE Kimsuky APT PebbleDash Related Activity (GET) (malware.rules)
  • 2036510 - ET MALWARE PoshC2 - Observed Default URI Structure M1 (malware.rules)
  • 2850657 - ETPRO MALWARE Valyria Maldoc/BazarLoader Activity (GET) (malware.rules)
  • 2850671 - ETPRO MALWARE Valyria CnC Activity (GET) (malware.rules)
  • 2850800 - ETPRO MALWARE Valyria Maldoc Activity (GET) (malware.rules)
  • 2850831 - ETPRO MALWARE Valyria Maldoc Activity (GET) (malware.rules)
  • 2850838 - ETPRO MALWARE DCRAT CnC Activity (GET) (malware.rules)
  • 2850839 - ETPRO MALWARE DCRAT CnC Response (malware.rules)
  • 2850853 - ETPRO MALWARE Trojan:Win32/Wacatac Payload Download (malware.rules)
  • 2850871 - ETPRO MALWARE Win32/Spy.Banker CnC Exfil (POST) (malware.rules)
  • 2850940 - ETPRO MALWARE Win32/TrojanDownloader.Agent.DSF CnC Activity (malware.rules)
  • 2850941 - ETPRO MALWARE Win32/TrojanDownloader.Agent.DSF CnC Activity (malware.rules)
  • 2851042 - ETPRO MALWARE Trojan:Win32/Sabsik Payload Request M2 (malware.rules)
  • 2851043 - ETPRO MALWARE Trojan:Win32/Sabsik Payload Request M1 (malware.rules)
  • 2851113 - ETPRO MALWARE Win32/Induc.A CnC Activity (GET) (malware.rules)
  • 2851115 - ETPRO MALWARE Win32/Fabookie.ek CnC Activity M2 (malware.rules)
  • 2851152 - ETPRO MALWARE Koadic CnC Activity (POST) (malware.rules)
  • 2851180 - ETPRO MALWARE Trojan:Win32/Sabsik Payload Request M2 (malware.rules)
  • 2851206 - ETPRO MALWARE Win32/LokiBot Payload Download Request M2 (malware.rules)
  • 2851244 - ETPRO MALWARE Win32/Packed.BlackMoon.A Arguments Fetch (malware.rules)
  • 2851279 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload Request (power.txt) (malware.rules)
  • 2851280 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload Request (kill.txt) (malware.rules)
  • 2851281 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload Request (uninstall.txt) (malware.rules)
  • 2851282 - ETPRO MALWARE PowerShell/TrojanDownloader.Agent.BHN Payload Request (download.txt) (malware.rules)
  • 2851290 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Get Commands) (malware.rules)
  • 2851291 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Fake Avast Antivirus) (malware.rules)
  • 2851292 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Fake AVG AntiVirus) (malware.rules)
  • 2851293 - ETPRO MALWARE Win32/AsyncRAT CnC Activity (Fake MalwareBytes AV) (malware.rules)
  • 2851294 - ETPRO MALWARE Win32/AsyncRAT Successful Payload Download (malware.rules)
  • 2851313 - ETPRO MALWARE VBS/TrojanDownloader.Agent.WVY Obfuscated ShellExecute Command (SilentlyContinue) (malware.rules)
  • 2851423 - ETPRO MALWARE Trojan.Win32.Scar.DSUU CnC Exfil (malware.rules)
  • 2851575 - ETPRO MALWARE Observed Qbot Domain (psmyanmar .com in TLS SNI) (malware.rules)
  • 2851576 - ETPRO MALWARE Observed Qbot Domain (fastesol .com in TLS SNI) (malware.rules)
  • 2851580 - ETPRO MALWARE Win32/Trojan.Agent.FRPG Exfil Activity (POST) (malware.rules)