Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/12/17

[***] Summary: [***]

22 new OPEN, 22 new PRO (22 + 0). More log4j, Cobalt Strike and BazarLoader.

Thanks Juniper Threat Labs, @bad_packets and @malwrhunterteam

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034747 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228
Payload Domain (rce .ee) (attack_response.rules)
2034748 - ET POLICY Serialized Java Payload via RMI Response (policy.rules)
2034749 - ET POLICY Unserialized Java Payload via RMI Response (policy.rules)
2034750 - ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi
(Outbound) (CVE-2021-44228) (exploit.rules)
2034751 - ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi
(Outbound) (CVE-2021-44228) (exploit.rules)
2034752 - ET TROJAN Win32/BazarLoader Activity (GET) (trojan.rules)
2034753 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup
(gawocag .com) (trojan.rules)
2034754 - ET TROJAN Cobalt Strike Related Domain in DNS Lookup
(hiduwu .com) (trojan.rules)
2034755 - ET EXPLOIT Apache Obfuscated log4j RCE Attempt (tcp ldap)
(CVE-2021-44228) (exploit.rules)
2034756 - ET TROJAN Cobalt Strike Activity (GET) (trojan.rules)
2034757 - ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034758 - ET EXPLOIT Apache log4j RCE Attempt (http rmi) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034759 - ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034760 - ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034761 - ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034762 - ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034763 - ET EXPLOIT Apache log4j RCE Attempt (udp dns) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034764 - ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034765 - ET EXPLOIT Apache log4j RCE Attempt (http dns) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034766 - ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034767 - ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034768 - ET EXPLOIT Apache log4j RCE Attempt (http ldaps)
(Outbound) (CVE-2021-44228) (exploit.rules)

[///] Modified active rules: [///]

2034632 - ET TROJAN Maldoc Retrieving Binary (trojan.rules)
2034673 - ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12
Obfuscation Observed M2 (CVE-2021-44228) (exploit.rules)
2034739 - ET TROJAN DCRat CnC Activity M11 (trojan.rules)
2034742 - ET INFO URL Shortner Domain in DNS Lookup (urlz .fr) (info.rules)
2850292 - ETPRO TROJAN MSIL/TrojanDownloader.Age CnC Activity (trojan.rules)

[---] Removed rules: [---]

2034682 - ET TROJAN Kimsuky Related Domain in DNS Lookup (trojan.rules)

Date:
Summary title:
22 new OPEN, 22 new PRO (22 + 0). More log4j, Cobalt Strike and BazarLoader.