Daily Ruleset Update Summary 2021/12/14

[***] Summary: [***]

24 new OPEN, 31 new PRO (24 + 7) More log4j sigs, Outbound
RMI/LDAPS sigs, Khonsri Ransomware, Cobalt Strike, and AjaxPro RCE
CVE-2021-23758.

Huge Thanks to @Unit42_Intel, @malware_traffic and @SLASH30Miata

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034706 - ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp)
(CVE-2021-44228) (exploit.rules)
2034707 - ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp)
(CVE-2021-44228) (exploit.rules)
2034708 - ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp)
(CVE-2021-44228) (exploit.rules)
2034709 - ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp)
(CVE-2021-44228) (exploit.rules)
2034710 - ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis)
(CVE-2021-44228) (exploit.rules)
2034711 - ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis)
(CVE-2021-44228) (exploit.rules)
2034712 - ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds)
(CVE-2021-44228) (exploit.rules)
2034713 - ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds)
(CVE-2021-44228) (exploit.rules)
2034714 - ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba)
(CVE-2021-44228) (exploit.rules)
2034715 - ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba)
(CVE-2021-44228) (exploit.rules)
2034716 - ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi
(CVE-2021-44228) (exploit.rules)
2034717 - ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi
(CVE-2021-44228) (exploit.rules)
2034718 - ET POLICY RMI Request Outbound (policy.rules)
2034719 - ET POLICY LDAPSv3 LDAPS_START_TLS Request Outbound (policy.rules)
2034720 - ET POLICY Successful LDAPSv3 LDAPS_START_TLS Request
Outbound (policy.rules)
2034721 - ET POLICY Successful LDAPSv3 LDAPS_START_TLS Request
Outbound (policy.rules)
2034722 - ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via
LDAPv3 Response (attack_response.rules)
2034723 - ET TROJAN MSIL/Khonsri Ransomware CnC Activity (trojan.rules)
2034724 - ET MALWARE Win32/2345.H Variant Activity (POST) (malware.rules)
2034725 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup (trojan.rules)
2034726 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2034727 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup
(bqtconsulting .com) (trojan.rules)
2034728 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2034729 - ET EXPLOIT AjaxPro RCE Attempt (CVE-2021-23758) (exploit.rules)

Pro:

2850680 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-12-12 1) (trojan.rules)
2850681 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-12-12 2) (trojan.rules)
2850682 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-12-12 3) (trojan.rules)
2850683 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2021-12-12 4) (trojan.rules)
2850684 - ETPRO TROJAN Observed AZORult CnC Domain in TLS SNI (trojan.rules)
2850685 - ETPRO TROJAN Generic Trojan Activity M1 (trojan.rules)
2850686 - ETPRO TROJAN Generic Trojan Activity M2 (trojan.rules)

[///] Modified active rules: [///]

2013035 - ET POLICY Java Client HTTP Request (policy.rules)
2843524 - ETPRO CURRENT_EVENTS Successful Generic Captcha Phish
2020-07-14 (current_events.rules)

Date:

Tuesday, December 14, 2021

Summary title:

24 new OPEN, 31 new PRO (24 + 7) More log4j sigs, Outbound RMI/LDAPS sigs, Khonsri Ransomware, Cobalt Strike, and AjaxPro RCE CVE-2021-23758.