Daily Ruleset Update Summary
Daily Ruleset Update Summary 2021/12/22

[***] Summary: [***]

16 new OPEN, 23 new PRO (16 + 7). Andariel backdoor, Various Phishing

Thanks @threatray

Check out the EmergingThreats log4j detection page here<https://github.com/EmergingThreats/log4shell-detection&gt;.

Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2029829 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)

2029830 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)

2029831 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)

2029832 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)

2029833 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)

2029834 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)

2029835 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)

2029836 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)

2031516 - ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M1 (policy.rules)

2031517 - ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M2 (policy.rules)

2031518 - ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M3 (policy.rules)

2031519 - ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M4 (policy.rules)

2031609 - ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M5 (policy.rules)

2034237 - ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain (policy.rules)

2034837 - ET TROJAN Andariel Backdoor Activity (Checkin) (trojan.rules)

2034838 - ET SCAN WordPress HelloThinkCMF Scan (scan.rules)

Pro:

2850725 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2021-12-21 1) (trojan.rules)

[///] Modified active rules: [///]

2011581 - ET POLICY Vulnerable Java Version 1.5.x Detected (policy.rules)

2011582 - ET POLICY Vulnerable Java Version 1.6.x Detected (policy.rules)

2011584 - ET POLICY Vulnerable Java Version 1.4.x Detected (policy.rules)

2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)

2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)

2028867 - ET POLICY Vulnerable Java Version 11.0.x Detected (policy.rules)

2028868 - ET POLICY Vulnerable Java Version 12.0.x Detected (policy.rules)

2028869 - ET POLICY Vulnerable Java Version 13.0.x Detected (policy.rules)

2034758 - ET EXPLOIT Apache log4j RCE Attempt (http rmi) (Outbound) (CVE-2021-44228) (exploit.rules)

2034812 - ET POLICY Non-Anonymous LDAPv3 Bind Request Outbound (policy.rules)

2034814 - ET POLICY Vulnerable Java Version 14.0.x Detected (policy.rules)

2034815 - ET POLICY Vulnerable Java Version 15.0.x Detected (policy.rules)

2034816 - ET POLICY Vulnerable Java Version 16.0.x Detected (policy.rules)

2034817 - ET POLICY Vulnerable Java Version 17.0.x Detected (policy.rules)

2807762 - ETPRO TROJAN Win32/Killav.CM Checkin (trojan.rules)

2810099 - ETPRO TROJAN Chthonic CnC Beacon 7 (trojan.rules)

2831005 - ETPRO POLICY Observed Suspicious SSL Cert (Possible KnowBe4 Phish Training) (policy.rules)

2832865 - ETPRO POLICY KnowBe4 Phish Training HTTP Request (policy.rules)

[---] Disabled and modified rules: [---]

2020505 - ET TROJAN Win32.Sality.3 Checkin (trojan.rules)

[---] Removed rules: [---]

2029829 - ET CURRENT_EVENTS Observed DNS Query to KnowBe4 Simulated Phish Domain (current_events.rules)

2029830 - ET CURRENT_EVENTS Observed DNS Query to KnowBe4 Simulated Phish Domain (current_events.rules)

2029831 - ET CURRENT_EVENTS Observed DNS Query to KnowBe4 Simulated Phish Domain (current_events.rules)

2029832 - ET CURRENT_EVENTS Observed DNS Query to KnowBe4 Simulated Phish Domain (current_events.rules)

2029833 - ET CURRENT_EVENTS Observed DNS Query to KnowBe4 Simulated Phish Domain (current_events.rules)

2029834 - ET CURRENT_EVENTS Observed DNS Query to KnowBe4 Simulated Phish Domain (current_events.rules)

2029835 - ET CURRENT_EVENTS Observed DNS Query to KnowBe4 Simulated Phish Domain (current_events.rules)

2029836 - ET CURRENT_EVENTS Observed DNS Query to KnowBe4 Simulated Phish Domain (current_events.rules)

2031516 - ET CURRENT_EVENTS Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M1 (current_events.rules)

2031517 - ET CURRENT_EVENTS Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M2 (current_events.rules)

2031518 - ET CURRENT_EVENTS Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M3 (current_events.rules)

2031519 - ET CURRENT_EVENTS Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M4 (current_events.rules)

2031609 - ET CURRENT_EVENTS Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M5 (current_events.rules)

2034237 - ET CURRENT_EVENTS Observed DNS Query to KnowBe4 Simulated Phish Domain (current_events.rules)

Date:
Summary title:
16 new OPEN, 23 new PRO (16 + 7). Andariel backdoor, Various Phishing