Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/11/09

[***] Summary: [***]

37 new OPEN, 42 new PRO (37 + 5). CVE-2021-40539, CVE-2021-20837, Lyceum, Cobalt Strike

Thanks: @Thingzeye, @twinwavesec

Proofpoint is looking to hire a Product Manager to oversee the Emerging Threats products group. Interested? Check out the posting here<https://proofpoint.wd5.myworkdayjobs.com/ProofpointCareers/job/Sunnyval…;, and reach out with any questions.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034361 - ET TROJAN RedLine - GetArguments Request (trojan.rules)

2034362 - ET EXPLOIT ManageEngine AdSelfService Plus - Authentication Bypass Attempt (CVE-2021-40539) (exploit.rules)

2034363 - ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File Upload Attempt (CVE-2021-40539) (exploit.rules)

2034364 - ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell Upload Attempt (CVE-2021-40539) (exploit.rules)

2034365 - ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539) (exploit.rules)

2034366 - ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837) (exploit.rules)

2034367 - ET TROJAN SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Beacon) (trojan.rules)

2034368 - ET TROJAN SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Download) (trojan.rules)

2034369 - ET TROJAN SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Upload) (trojan.rules)

2034370 - ET TROJAN Lyceum Backdoor CnC Activity M1 (trojan.rules)

2034371 - ET TROJAN Lyceum Backdoor CnC Activity M2 (trojan.rules)

2034372 - ET TROJAN Lyceum Backdoor CnC Activity M3 (trojan.rules)

2034373 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034374 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034375 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034376 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034377 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034378 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034379 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034380 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034381 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034382 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034383 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034384 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034385 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034386 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034387 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034388 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034389 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034390 - ET TROJAN LYCEUM CnC Domain in DNS Lookup (trojan.rules)

2034391 - ET TROJAN Cobalt Strike Related CnC Domain in DNS Lookup (rackspare-technology .digital) (trojan.rules)

2034392 - ET TROJAN Malicious Cobalt Strike SSL Cert (asurecloud .tech) (trojan.rules)

2034393 - ET TROJAN Observed Cobalt Strike Domain (asureupdate .tech in TLS SNI) (trojan.rules)

2034394 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup (asureupdate .pro) (trojan.rules)

2034395 - ET TROJAN Downloaded Script Disables Firewall/Antivirus (trojan.rules)

2034396 - ET TROJAN WBK Download from dotted-quad Host (trojan.rules)

2034397 - ET CURRENT_EVENTS Successful Citibank Phish Landing Page (current_events.rules)

Pro:

2850389 - ETPRO INFO Observed DNS Query to DDNS Domain .noip .com (info.rules)

2850390 - ETPRO INFO Observed DNS Query to DDNS Domain .dnsdynamic .org (info.rules)

2850391 - ETPRO INFO Observed DNS Query to DDNS Domain .sitelutions .com (info.rules)

2850392 - ETPRO TROJAN MSIL/Kryptik.ACNA Variant SMTP Exfil Activity M4 (trojan.rules)

2850393 - ETPRO TROJAN Win32/Sabsik Checkin (PUT) (trojan.rules)

[///] Modified active rules: [///]

2031111 - ET TROJAN Magecart CnC Domain Observed in DNS Query (trojan.rules)

2033760 - ET TROJAN SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Checkin (trojan.rules)

[---] Removed rules: [---]

2848171 - ETPRO TROJAN RedLine - GetArguments Request (trojan.rules)

Date:
Summary title:
37 new OPEN, 42 new PRO (37 + 5). CVE-2021-40539, CVE-2021-20837, Lyceum, Cobalt Strike