Ruleset Update Summary - 2023/03/20 - v10273

Ruleset Updates
1

Summary:

29 new OPEN, 33 new PRO (29 + 4)

Thanks @malPileDriver, @suyog41, @0xToxin, @James_inthe_box, @1ZRR4H, @ShadowChasing1

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

The mailing list is being retired on April 3, 2023.

Added rules:

Open:

  • 2044680 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M1 (CVE-2023-23397) (exploit.rules)
  • 2044681 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M2 (CVE-2023-23397) (exploit.rules)
  • 2044682 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M3 (CVE-2023-23397) (exploit.rules)
  • 2044683 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M4 (CVE-2023-23397) (exploit.rules)
  • 2044684 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M5 (CVE-2023-23397) (exploit.rules)
  • 2044685 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M6 (CVE-2023-23397) (exploit.rules)
  • 2044686 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M7 (CVE-2023-23397) (exploit.rules)
  • 2044687 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M8 (CVE-2023-23397) (exploit.rules)
  • 2044688 - ET MALWARE Ares Loader Observed User-Agent M1 (malware.rules)
  • 2044689 - ET MALWARE Ares Loader Observed User-Agent M2 (malware.rules)
  • 2044690 - ET MALWARE Ares Loader Checkin (malware.rules)
  • 2044691 - ET MALWARE IcedID CnC Domain in DNS Lookup (malware.rules)
  • 2044692 - ET MALWARE Win32/keyzetsu Stealer exfil via Telegram (Response) (malware.rules)
  • 2044693 - ET MALWARE Win32/keyzetsu Stealer Variant Exfil via Telegram (Response) (malware.rules)
  • 2044694 - ET MALWARE Konni APT Related Activity (GET) (malware.rules)
  • 2044695 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 (malware.rules)
  • 2044696 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 (malware.rules)
  • 2044697 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3 (malware.rules)
  • 2044698 - ET MALWARE Observed DNS Query to Gamaredon Domain (makasd .ru) (malware.rules)
  • 2044699 - ET MALWARE Observed DNS Query to Gamaredon Domain (gojoxa .ru) (malware.rules)
  • 2044700 - ET MALWARE Observed DNS Query to Gamaredon Domain (baralap .ru) (malware.rules)
  • 2044701 - ET MALWARE Observed DNS Query to Gamaredon Domain (rasulla .ru) (malware.rules)
  • 2044702 - ET MALWARE Unknown Powershell Profiler Exfiltrating System Data (malware.rules)
  • 2044703 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jqueryns .com) (malware.rules)
  • 2044704 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jqscr .com) (malware.rules)
  • 2044705 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .language .sebtomato .com) (malware.rules)
  • 2044706 - ET MALWARE SocGholish Domain in DNS Lookup (archive .vibezik .com) (malware.rules)
  • 2044707 - ET MALWARE SocGholish Domain in DNS Lookup (scripts .asi .services) (malware.rules)
  • 2044708 - ET MALWARE SocGholish Domain in DNS Lookup (trackrecord .wheresbecky .com) (malware.rules)

Pro:

  • 2853743 - ETPRO MALWARE PikaBot CnC Activity M1 (malware.rules)
  • 2853744 - ETPRO MALWARE PikaBot CnC Activity M2 (malware.rules)
  • 2853745 - ETPRO MALWARE PikaBot CnC Activity M3 (malware.rules)
  • 2853746 - ETPRO MALWARE PikaBot CnC Activity M4 (malware.rules)

Disabled and modified rules:

  • 2034631 - ET MALWARE Maldoc Activity (set) (malware.rules)
  • 2034632 - ET MALWARE Maldoc Retrieving Binary (malware.rules)
  • 2035184 - ET MALWARE Go/Anubis Registration Activity (malware.rules)
  • 2035185 - ET MALWARE Go/Anubis CnC Activity (POST) (malware.rules)
  • 2035293 - ET MALWARE PlugX Activity (POST) (malware.rules)
  • 2035304 - ET INFO Observed URL Shortening Service Domain (0sh .org in TLS SNI) (info.rules)
  • 2035305 - ET INFO Observed URL Shortening Service Domain (prourl .in in TLS SNI) (info.rules)
  • 2035308 - ET MALWARE Suspected PlugX Checkin Activity (udp) (malware.rules)
  • 2035360 - ET MALWARE SunSeed Lua Downloader Activity (GET) (malware.rules)
  • 2035362 - ET MALWARE SunSeed Download Retrieving Binary (malware.rules)
  • 2850667 - ETPRO PHISHING Successful Generic Phish 2021-12-10 (phishing.rules)

Removed rules:

  • 2853726 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M1 (CVE-2023-23397) (exploit.rules)
  • 2853727 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M2 (CVE-2023-23397) (exploit.rules)
  • 2853728 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M3 (CVE-2023-23397) (exploit.rules)
  • 2853729 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M4 (CVE-2023-23397) (exploit.rules)
  • 2853730 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M5 (CVE-2023-23397) (exploit.rules)
  • 2853731 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M6 (CVE-2023-23397) (exploit.rules)
  • 2853732 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M7 (CVE-2023-23397) (exploit.rules)
  • 2853733 - ETPRO EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M8 (CVE-2023-23397) (exploit.rules)