[***] Summary: [***]

18 new OPEN, 27 new PRO (18 + 9) CVE-2019-9514, CVE-2019-9515,
Wintervivern, Cobalt Strike, FlawedGrace, and MSIL/Ixanity and with updates
to MirrorBlast and SQUIRRELWAFFLE sigs.

Today MITRE ATT&CK tags applied to Ransomware related signatures in mass.

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034093 - ET DOS Possible Microsoft Windows HTTP2 Reset Flood Denial of
Service Inbound (CVE-2019-9514) (dos.rules)
2034094 - ET INFO HTTP/2 Traffic (SET) (info.rules)
2034095 - ET DOS Possible Apache Traffic Server HTTP2 Settings Flood
Denial of Service Inbound (CVE-2019-9515) (dos.rules)
2034096 - ET DOS Possible Apache Traffic Server HTTP2 Settings Flood
Error Response (CVE-2019-9515) (dos.rules)
2034097 - ET INFO Observed AutoDesk Domain in TLS SNI (autodesk360 .com)
(info.rules)
2034098 - ET INFO Observed AutoDesk Domain in TLS SNI (api .autodesk
.com) (info.rules)
2034099 - ET TROJAN Observed Cobalt Strike CnC Domain (yawero .com in TLS
SNI) (trojan.rules)
2034100 - ET TROJAN Observed Cobalt Strike CnC Domain (sazoya .com in TLS
SNI) (trojan.rules)
2034101 - ET TROJAN Wintervivern Related CnC Domain in DNS Lookup
(securetourspd .com) (trojan.rules)
2034102 - ET TROJAN Wintervivern Related CnC Domain in DNS Lookup
(secure-daddy .com) (trojan.rules)
2034103 - ET TROJAN Wintervivern Related CnC Domain in DNS Lookup
(centr-security .com) (trojan.rules)
2034104 - ET TROJAN Wintervivern Related CnC Domain in DNS Lookup
(securemanag .com) (trojan.rules)
2034105 - ET TROJAN Wintervivern Activity (GET) (trojan.rules)
2034106 - ET TROJAN Wintervivern Activity M2 (GET) (trojan.rules)
2034107 - ET TROJAN Wintervivern Retrieving Task (trojan.rules)
2034108 - ET TROJAN Wintervivern Checkin (trojan.rules)
2034109 - ET TROJAN Wintervivern Activity (GET) M3 (trojan.rules)
2034110 - ET TROJAN MirrorBlast REBOL Payload Downloader (trojan.rules)

Pro:

2850099 - ETPRO TROJAN FlawedGrace CnC Activity M2 (trojan.rules)
2850100 - ETPRO EXPLOIT Possible Adobe Acrobat JOBOPTIONS File Parsing
Out of Bounds Write Inbound M2 (CVE-2019-7111) (exploit.rules)
2850101 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-10-04
(current_events.rules)
2850102 - ETPRO TROJAN MSIL/Ixanity Crypto Clipper CnC Exfil via Discord
(trojan.rules)
2850103 - ETPRO TROJAN MalDoc Reporting Infection 2021-10-04
(trojan.rules)
2850104 - ETPRO TROJAN CobaltStrike Malleable C2 Beacon (MS Update
Profile) (trojan.rules)
2850105 - ETPRO TROJAN CobaltStrike Malleable C2 Beacon (Unk Profile)
(trojan.rules)
2850106 - ETPRO TROJAN MalDoc Reporting System Information 2021-10-04
(trojan.rules)
2850107 - ETPRO TROJAN Win32/Kryptik.HHNM Variant Retrieving Payload
(trojan.rules)

[///] Modified active rules: [///]

2033939 - ET TROJAN SQUIRRELWAFFLE Loader Activity (POST) (trojan.rules)
2034091 - ET TROJAN MirrorBlast Downloader Activity (trojan.rules)
2850098 - ETPRO TROJAN FlawedGrace CnC Activity M1 (trojan.rules)

[///] Modified inactive rules: [///]

2849304 - ETPRO POLICY [MS-SRVS] Microsoft Server Service Remote Protocol
Activity - NetShareEnumAll (policy.rules)

[---] Disabled and modified rules: [---]

2002803 - ET EXPLOIT BMP with invalid bfOffBits (exploit.rules)

Date:
Summary title:
18 new OPEN, 27 new PRO (18 + 9) CVE-2019-9514, CVE-2019-9515, Wintervivern, Cobalt Strike, FlawedGrace, and MSIL/Ixanity and with updates to MirrorBlast and SQUIRRELWAFFLE sigs.